Cloud-Based Repository Leak Exposes 123 Million American Households (zdnet.com) 62
"An Amazon Web Services (AWS) S3 cloud storage bucket containing information from data analytics firm Alteryx has been found publicly exposed, comprising the personal information of 123 million U.S. households," reports ZDNet. "The S3 bucked, located at the subdomain 'alteryxdownload,' was found by California cybersecurity firm UpGuard, with its Cyber Risk Team discovering the leak on October 6, 2017." From the report: The 36 GB data file titled "ConsumerView_10_2013" contained over 123 million rows, each one signifying a different American household. A similar file was seen by UpGuard when the personal details of 198 million American voters, compiled in a dataset by a data firm used by the Republican National Committee, were exposed. To highlight the breadth of the issue, UpGuard said the exposed data reveals over 3.5 billion fields of personally identifying details and data points about virtually every American household, including racial and ethnic information. The spreadsheet uses anonymized identifiers, but the information in the other few billion fields are very detailed, UpGuard said. Home addresses, contact information, mortgage status, financial histories, and very specific analysis of purchasing behavior -- such as domestic travel habits, if someone is a cat enthusiast, and their sporting interests -- is up for grabs in the exposed data. As for how this happened, ZDNet says, "the bucket was configured via permission settings to allow any AWS 'Authenticated Users' to download its stored data. Authenticated users are any user that has an AWS account."
WTF is Alteryx? (Score:1)
And why do they have so much data on everyone?
Re: WTF is Alteryx? (Score:1)
Alteryx is the next Cloud Enabled Self Service ETL tool du jour that a lot of companies are latching on to this year to do Big Data (tm) stuff. Gartman Magic Quadrant blah blah blah. So basically the same thing you can do in any number of other tools, except you drag little icons around.
Re: (Score:3)
From the first paragraph of TFA:
So Alteryx got data from a credit bureau and screwed it up. This should at least open them up to a massive lawsuit from Experian for breach of contract.
US Census Bureau (Score:1)
Thanks for keeping your oath, US Census Bureau.
From: https://census.gov/programs-surveys/acs/about/is-my-privacy-protected.html
The Census Bureau is legally bound to strict confidentiality requirements. Individual records are not shared with anyone, including federal agencies and law enforcement entities. By law, the Census Bureau cannot share respondents' answers with anyone, -- not the IRS, not the FBI, not the CIA, and not with any other government agency.
All Census Bureau employees take an oath of nondisclosure and are sworn for life to protect all information that could identify individuals. Disclosing ANY information that could identify you or your family means 5 years in prison, or $250,000 in fines, or both.
From: https://www.census.gov/privacy/
We are committed to handling your information responsibly. Your information is kept confidential. This commitment applies to the individuals, households, and businesses that answer our surveys, and to those browsing our website.
This reminds me of when the U.S. Census Bureau gave up information leading to the detainment of Japanese Americans.
Somebody should be going to prison if these allegations prove to be true.
Re: (Score:1)
Put these fuckers out of business. (Score:1)
And send the executives to prison for the rest of their lives.
Re: (Score:2)
Re: (Score:2)
So that so their gold fillings can be easily extracted?
Capitalism will correct this (Score:3, Funny)
Don't worry. The invisible hand of the free market will solve this. That is also the reason nobody is in this database who did not volunteer for it.
Re: (Score:2)
The world starts making a lot more sense when you stop viewing it in black and white, and see that absolutes are exceedingly rare, and most sayings are only partially true depending on the situation - be it capitalism or freedom of information.
Re: (Score:2)
I think the real problem is, that much data and you can mine it to find all US agents operating abroad, all in the data patterns. The more information you have about all US citizens, the easier it is to find the ones who have chosen to work for three letter agencies and then find the identity shift, from citizen to spy overseas. Youch, much worse and much more dangerous than it seems, especially to the spy vs spy types, extremely problematic from that point of view, especially how much fucking around the US
Cloudy with a chance of rain. (Score:1)
Apparently Amazon doesn't understand security. Their cloud leaks more than most.
Re: (Score:2)
Amazon has been sending their customers warnings about misconfigured S3 buckets for awhile now. In order for something like this to happen, a customer would have ignored these warnings for the past 9 months.
So, yeah, someone probably deserves to be fired over this.
Re: (Score:2)
I've seen this happen.
Back when Moby Dick was a minnow, I set a firm up with AT&T DSL.
I used their firm@firm.com email as the sysadmin contact and watched them change the password so I could not get in.
Months later their Internet failed and I jumped through hoops with AT&T, learning that they had changed their name servers.
They had been sending countdown emails, but no one at the firm ever looked.
Re: (Score:2)
This one isn't on Amazon. These rank amateurs at Alteryx didn't configure their shit properly. Morons don't understand how to protect their data then they poo-poo reports of the severity of the breach. They really don't know what the hell they are doing.
This company needs to die.
Re: (Score:2)
This is what I'm talking about:
"Default security settings for S3 buckets usually allow only authorised users to access the contents; however, UpGuard reports the bucket was configured via permission settings to allow any AWS "Authenticated Users" to download its stored data."
Alteryx or whatever the fuck their name is set moron permissions and exposed their sensitive data. Amazon can only do so much to engineer around pure stupidity.
Re: (Score:2)
What kind of bullshit was going through the idiot's brain when he added Any Authenticated User permission to a S3 bucket that would be used internally by their application ?
There are at least two people who should be fired..... the Employee who added that ridiculous permission, AND the manager who failed to have auditing in place for AWS permissions.
any AWS "Authenticated Users is all AWS and not (Score:2)
any AWS "Authenticated Users is all AWS and not just all in your group??
It's like windows ad where you think it's just any AD user on your domain or local system but is really any windows user on the web.
Re: any AWS "Authenticated Users is all AWS and no (Score:1)
Many organizations have VPCs and any average person might think a setting of public means it is public within that context, not to the entire net. Am I wrong here or is a S3 bucket made public not to the world but to VPC. I tend to be careful, but cloud vendors really could improve this by making anything visible only to company VPC unless special effort is shown. I however do not think that this is an AWS fault in any way.
Anyone responsible would test this before dumping a DB there.
Re: Cloudy with a chance of rain. (Score:2)
You would be surprised how many people do not know or do not care to. I am talking about IT people, not Mom & Pop. The customer âoeJust wants it working!â Is the excuse. Other times people just do not want the authentication to be a factor in troubleshooting and forget to close access afterward.
Many times, it is a bit of both. And the amount these people get paid (75k+), they should be fired for negligence. I once had to tell a client that they left their Sharepoint with sensitive data ope
Re: Cloudy with a chance of rain. (Score:1)
I do not think this is AWS fault in any way, I do however think there are problems. You have a company that has one or many VPC and employees are being told the "we have an extended LAN there", EC2 "public" follows these rules (confusing that you open port access with a warning to anyone being VPC) while an S3 bucket does not (so same warning, this time it is the world).
Oh Noes! (Score:4, Insightful)
Re: (Score:1)
Re: (Score:2)
It was only readable to people with an AWS account.
Now you're questioning (Score:2)
As for how this happened, ZDNet says, "the bucket was configured via permission settings to allow any AWS 'Authenticated Users' to download its stored data. Authenticated users are any user that has an AWS account."
Hey, we had security protocols; that you find them inadequate, well, maybe that's a you problem.
So, we're just going to keep doing this I guess? (Score:2)
So, we're just going to keep doing this I guess?
And in other Surprising News... (Score:2)
WTF! (Score:1)
Re: (Score:1)
The entities aren't associated with Hilary Clinton, so an infinite number?
Nuh-Uh! (Score:2)
Re: (Score:2)
Because now people can find all the jews/muslims/blacks/whites/mexicans/etc for their hate crime victims.
Welcome to the cloud... (Score:1)
No matter how secure the communications between the app on your phone and the cloud service...no matter how secure the passwords or TFA methods are to prohibit unauthorized access...no matter how many guards and locks they put on the server room...if the administrator runs a full backup and throws it into an insecure Amazon S3 bucket (or some other cloud provider's bucket)...or copies it onto a portable drive and leaves the drive on his front seat while he runs into the store...or he is tempted by an offer
Cloud computing... (Score:2)
Now instead of a mistake causing a server to be open to your intranet, it's now exposed to the entire internet on a platform constantly scanned for unsecured servers.
Standard Question (Score:1)
Where is the data so I can check and see what they leaked about me?
For those wondering (Score:4, Informative)
Re: (Score:1)
Re: (Score:2)
Where can I get a copy? (Score:3)
Where can I get a copy?
I'd like to see how well de-identified it is.