123 million households exposed after AWS storage bucket misconfiguration by Alteryx

Nearly 123 million households had their personal information exposed in a fiasco involving an improperly configured AWS storage bucket by analytics firm Alteryx.

The AWS S3 bucket contained 2010 census information from 2010, which is already publicly accessible, but also contained Experian records that are commercially but not publicly available.

The problem occurred after an AWS S3 silo was insecurely configured – the privacy setting on the S3 bucket allowed anybody with an AWS account to view the data.

The issue was brought to light by security firm UpGuard, which said that the cloud storage silo contained everything from “home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior.”

The silo has since been locked down, but the exposure could have put the data of millions of American households at risk of theft and abuse.

To be clear, this is purely the user’s fault, not Amazon’s. The default setting is for only authorized users to be able to access these S3 storage buckets. Many companies, however, prefer to take the easy route and make the data accessible to anyone with an Amazon cloud account.

Alteryx responded to the incident with a statement from its CEO, Dean Stoecker:

“When we discovered this issue, we removed the file from AWS and also added a layer of additional security to the AWS bucket where the file was stored. We will maintain a similar level of enhanced security for any dataset that we offer to our customers going forward.”

+++ + +++