Credit reporting firms go to great lengths to convince the public that the data they collect won’t fall into the wrong hands. But what happens when they sell that data to a third party? Can the buyer make the same guarantees?
That’s a question the consumer data industry is now grappling with after a discovery that Irvine marketing and analytics company Alteryx Inc. accidentally made public a file that contained the personal information of 123 million American households. (The U.S. has 126 million households in all, according to the Census Bureau.)
The database contained information across 248 categories, including addresses, phone numbers, mortgage ownership, age, ethnicity and personal interests such as whether a person is a dog or cat enthusiast. The data did not include people’s names, Social Security numbers, credit card information or passwords.
The data sets originally belonged to credit reporting firm Experian and the U.S. Census Bureau. Chris Vickery, the director of cyber risk research at cybersecurity start-up UpGuard, discovered the data Oct. 6 on Amazon Web Services, or AWS.
“When we discovered this issue, we removed the file from AWS and also added a layer of additional security to the AWS bucket where the file was stored,” Alteryx Chief Executive Dean Stoecker said in a statement. “We will maintain a similar level of enhanced security for any dataset that we offer to our customers going forward.”
There’s no sign that the Alteryx data fell into the wrong hands, but this kind of vulnerability remains a problem for the IT industry, according to Dan O’Sullivan, an analyst with Mountain View, Calif.-based UpGuard. It poses a particular problem to data collection agencies that, despite efforts to secure consumer data on their own servers, have little to no control over how their partners handle the information.
“Most enterprises lack the ability to even assess the security postures of external vendors,” O’Sullivan said in a blog post.
One of the ways Experian and other consumer credit reporting firms make money is by selling user data to third parties for marketing purposes, which is how Alteryx got the data to begin with. (The Census Bureau data included in Alteryx’s files already were publicly available.)
As massive amounts of consumer data increasingly gets passed around, not all agencies and companies are exercising the same level of caution, according to Sullivan. The U.S. Census Bureau rates 872 on the CSTAR cyber risk score (out of a maximum of 950), and Experian rates 728. Alteryx, meanwhile, scored 692.
This shows that a “weaker link can be fatal throughout the chain,” O’Sullivan said.
Millions of Americans had their personal information exposed this year through data breaches, the most high profile of which was Equifax, the credit reporting firm that was hacked sometime from mid-May through July. Equifax announced the breach in September and said hackers had accessed the Social Security numbers and birthdates of up to 143 million Americans.
Alteryx’s exposed data was marketing information rather than credit information, which is an important distinction to make, according to consumer data experts, because marketing information tends to be commercially available and doesn’t include personally identifiable information.
That said, “it’s possible that data thieves could cross-reference stolen information with other available public information,” security company Norton said in a blog post.