IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Experian data on 120 million users found in leaky AWS bucket

Marketing firm Alteryx had failed to password protect the data

A researcher has revealed the personal details of 120 million American households were publicly accessible online because the marketing firm holding the data was using a misconfigured AWS bucket.

Chris Vickery, a cybersecurity researcher from UpGuard told Forbes about the breach, which included 448 fields of personal information. The data, originally generated by Experian and sold to marketing analytics firm Alteryx, was found sitting in an AWS server without a password. 

This meant the data in its entirety could be accessed by anyone with the valid URL, without having to enter any security details or validation checks.

Vickery explained it's likely the data was part of Alteryx's Designer With Data product, which the company sells for almost $40,000 (30,000) per license. It includes detailed information about consumers, including "consumer demographics, life event, direct response, property, and mortgage information," which could offer accurate profiles for criminals looking for potential targets. 

When Alteryx was notified of the possibility of a breach, it said it immediately secured the bucket, removed the file and has now taken steps to prevent such data being exposed again. It also added that the dataset did not include any personal details such as names or any other identifiers.

"Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes," the company said in a statement provided to Forbes. "The information in the file does not pose a risk of identity theft to any consumers."

Experian also denied responsibility, saying it was Alteryx that was in charge of the data and therefore it was the marketing firm's duty to protect the data. The spokesperson also confirmed no identifiable information was included in the file.

However, Vickery, who frequently exposes security lapses of this kind, believes a criminal could piece the information together using other sources of information.

"If you cross-reference it with a voter registration database, or if you have records from an advertiser on the web, like a big web advertiser, you piece these things together and you've got a very accurate view of who someone is: what they like doing, where they work, where they live, how many kids they have," he said.

This is only the latest example of a company failing to correctly configure an AWS bucket, leaving potentially sensitive user data open to the public. Most recently, Vickery found over 100GB of NSA data was found sitting on an unprotected bucket, a great deal of which was regarded as classified material. 

The personal information of two million Dow Jones customers137GB of Accenture client data, and the data belonging to three million WWE fans have all been discovered sitting in AWS servers without password protection this year. 

Image: Bigstock

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop

16 ways to speed up your laptop

13 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022