December 21, 2017
For the second time this week, a trove of data that could be used to defraud online merchants, banks, consumers and others has been unearthed by a security company. Unlike an earlier report, however, this time a single company is responsible for exposing the information of up to 123 million households. Alteryx, an online marketing and data analytics firm, exposed a database containing a wide breadth of information attached to each of the 123 million records. The database does not include names, but personal information including addresses, ZIP codes, phone numbers and other data could yield an associated name with very little digging.
Where the aggregated file uncovered last week contained username/password combos, the Alteryx database includes information that could be used to build a full profile and defeat knowledge-based authentication questions. The compromised information in each record includes 248 different data points about a household including the number and ages of children living in the home, what kinds of magazines they read, mortgage information, what kind of car they drive, how old it is, if they own investment properties, propensity to own a cat or dog, creditworthiness, etc.
While the file was exposed by Alteryx, the database contained information that originated with the U.S. Census Bureau and Experian (despite its own breach problems, Experian was not responsible for this compromise, according to multiple reports). Both have partnerships with Alteryx to share information.
“The exposed data reveals billions of personally identifying details and data points about virtually every American household,” said a blog post from UpGuard, the cyber risk company that publicized the breach. “[It] would be invaluable for unscrupulous marketers, spammers, and identity thieves, for whom this data would be largely reliable and, more importantly, varied. With a large database of potential victims to survey—with such details as “mortgage ownership” revealed, a common security verification question—the price could be far higher than merely bad publicity.”
UpGuard found the data in an Amazon Web Services “storage bucket,” available to anyone with a free AWS account.