Incident Of The Week: Unsecure Cloud Could Have Compromised 123M Americans

Add bookmark
Dan Gunderman
Dan Gunderman
12/22/2017

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine the exposure of sensitive information from 123 million American households due to a faulty setup on an Amazon Web Services (AWS) account.

A rich data “bucket” was found on AWS and contained demographic information about nearly every American household.

The database was discovered by the UpGuard Cyber Risk Team. It belonged to the California-based marketing and analytics firm Alteryx and was configured so that any AWS user could download the sensitive information. AWS users now number about a million.

Within the repository were data sets belonging to an Alteryx partner, the consumer credit reporting agency Experian, and the U.S. Census Bureau. Despite the census’ public profile, the Experian “ConsumerView” marketing database – sold to other enterprises – contained highly sensitive fields about finances, spending habits, creditworthiness and more.

According to UpGuard, “The exposed data constitutes a remarkably invasive glimpse into the lives of American consumers.”

See Related: Incident Of The Week: 'Triton' Malware Takes Down Industrial Plant

The database reportedly contained 123 million rows, each one representing American households. That estimate comes close to the total number of households existent in the U.S. at the time of the file’s likely creation in 2013.

The exposure of this information could have led to widespread spamming efforts, direct marketing or fraudulent or malicious activity.

UpGuard writes, “The continuing concentration of data by a number of large enterprises, now wielding powerful technology of the sort provided by Alteryx, has not been accompanied by greater prudence and process improvement necessary to ensure that the data will remain securely stored. The result has been, in the same way warming waters increase the power of hurricanes, that data exposures such as this are capable of exposing the vast majority of American households to compromise with one error.”

The investigative findings also highlight the inherent third party vendor risk – as it pertains to sensitive data. Further, it shows that any sort of chain business model – of interconnected and sharable information between enterprises – presents a serious risk. This is especially true when it comes to data intermingling, visibility and PII safekeeping.

Although some enterprises may boast high CSTAR Cyber Risk scores, if one unsecure entity gets breached, the entire system becomes susceptible. One kink in the wall, and the whole structure could crumble. And, such is the case of Alteryx, which earned a score of 692 (of a possible 950), according to UpGuard. (Experian scored 728; the U.S. Census Bureau scored 872.)

See Related: Incident Of The Week: NiceHash Gets Bad Hack in $70M Bitcoin Theft

The UpGuard findings also say that primary enterprises are “inviting risk if they cannot be sure of similarly stringent maintenance within the operations of partners handling their data.”

From a broader perspective, this information should make enterprise security professionals tremble in their boots – but only for the right reasons. Strict, disciplined and routine maintenance on PII – stored internally or held in a cloud-type environment – is required. Or, your enterprise could be the next high-profile target.

To rub salt in the wound, this disclosure comes only months after fellow consumer reporting agency Equifax announced a breach that affected 145 million U.S. customers’ PII (names, social security numbers, birth dates, addresses and some driver’s license numbers). The attack was felt outside the U.S. as well, in the U.K. and Canada.

Stay current with CSHub.com content to see how enterprises are coping with emerging threats!


RECOMMENDED