Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Privacy Security Cloud Network The Internet

Cloud-Based Repository Leak Exposes 123 Million American Households (zdnet.com) 62

"An Amazon Web Services (AWS) S3 cloud storage bucket containing information from data analytics firm Alteryx has been found publicly exposed, comprising the personal information of 123 million U.S. households," reports ZDNet. "The S3 bucked, located at the subdomain 'alteryxdownload,' was found by California cybersecurity firm UpGuard, with its Cyber Risk Team discovering the leak on October 6, 2017." From the report: The 36 GB data file titled "ConsumerView_10_2013" contained over 123 million rows, each one signifying a different American household. A similar file was seen by UpGuard when the personal details of 198 million American voters, compiled in a dataset by a data firm used by the Republican National Committee, were exposed. To highlight the breadth of the issue, UpGuard said the exposed data reveals over 3.5 billion fields of personally identifying details and data points about virtually every American household, including racial and ethnic information. The spreadsheet uses anonymized identifiers, but the information in the other few billion fields are very detailed, UpGuard said. Home addresses, contact information, mortgage status, financial histories, and very specific analysis of purchasing behavior -- such as domestic travel habits, if someone is a cat enthusiast, and their sporting interests -- is up for grabs in the exposed data. As for how this happened, ZDNet says, "the bucket was configured via permission settings to allow any AWS 'Authenticated Users' to download its stored data. Authenticated users are any user that has an AWS account."
This discussion has been archived. No new comments can be posted.

Cloud-Based Repository Leak Exposes 123 Million American Households

Comments Filter:
  • by Anonymous Coward

    And why do they have so much data on everyone?

    • by Anonymous Coward

      Alteryx is the next Cloud Enabled Self Service ETL tool du jour that a lot of companies are latching on to this year to do Big Data (tm) stuff. Gartman Magic Quadrant blah blah blah. So basically the same thing you can do in any number of other tools, except you drag little icons around.

    • From the first paragraph of TFA:

      Exposed within the repository are massive data sets belonging to Alteryx partner Experian, the consumer credit reporting agency, as well as the US Census Bureau, providing data sets from both Experian and the 2010 US Census.

      So Alteryx got data from a credit bureau and screwed it up. This should at least open them up to a massive lawsuit from Experian for breach of contract.

      • by Anonymous Coward

        Thanks for keeping your oath, US Census Bureau.

        From: https://census.gov/programs-surveys/acs/about/is-my-privacy-protected.html

        The Census Bureau is legally bound to strict confidentiality requirements. Individual records are not shared with anyone, including federal agencies and law enforcement entities. By law, the Census Bureau cannot share respondents' answers with anyone, -- not the IRS, not the FBI, not the CIA, and not with any other government agency.

        All Census Bureau employees take an oath of nondisclosure and are sworn for life to protect all information that could identify individuals. Disclosing ANY information that could identify you or your family means 5 years in prison, or $250,000 in fines, or both.

        From: https://www.census.gov/privacy/

        We are committed to handling your information responsibly. Your information is kept confidential. This commitment applies to the individuals, households, and businesses that answer our surveys, and to those browsing our website.

        This reminds me of when the U.S. Census Bureau gave up information leading to the detainment of Japanese Americans.

        Somebody should be going to prison if these allegations prove to be true.

        • Gee, and left wingers wonder why we right wingers are suspicious of government and dont' want to give any data out. BTW the Germans did this with religious data as well during WWII.
  • by Anonymous Coward

    And send the executives to prison for the rest of their lives.

    • Better: make them do community service talking to banks and so on, on behalf of victims of identity fraud, fixing the fallout. Even 10 hours a week for the next year or two of doing that would be a very strong disincentive for other companies.
  • by Anonymous Coward on Tuesday December 19, 2017 @08:54PM (#55772539)

    Don't worry. The invisible hand of the free market will solve this. That is also the reason nobody is in this database who did not volunteer for it.

    • Actually I think the appropriate aphorism here is, "Information wants to be free!" Except that won't be received as well by most of the people here (even though most of them actually believe it).

      The world starts making a lot more sense when you stop viewing it in black and white, and see that absolutes are exceedingly rare, and most sayings are only partially true depending on the situation - be it capitalism or freedom of information.
      • by rtb61 ( 674572 )

        I think the real problem is, that much data and you can mine it to find all US agents operating abroad, all in the data patterns. The more information you have about all US citizens, the easier it is to find the ones who have chosen to work for three letter agencies and then find the identity shift, from citizen to spy overseas. Youch, much worse and much more dangerous than it seems, especially to the spy vs spy types, extremely problematic from that point of view, especially how much fucking around the US

  • by Anonymous Coward

    Apparently Amazon doesn't understand security. Their cloud leaks more than most.

    • by leonbev ( 111395 )

      Amazon has been sending their customers warnings about misconfigured S3 buckets for awhile now. In order for something like this to happen, a customer would have ignored these warnings for the past 9 months.

      So, yeah, someone probably deserves to be fired over this.

      • I've seen this happen.

        Back when Moby Dick was a minnow, I set a firm up with AT&T DSL.

        I used their firm@firm.com email as the sysadmin contact and watched them change the password so I could not get in.

        Months later their Internet failed and I jumped through hoops with AT&T, learning that they had changed their name servers.

        They had been sending countdown emails, but no one at the firm ever looked.

    • This one isn't on Amazon. These rank amateurs at Alteryx didn't configure their shit properly. Morons don't understand how to protect their data then they poo-poo reports of the severity of the breach. They really don't know what the hell they are doing.

      This company needs to die.

      • This is what I'm talking about:

        "Default security settings for S3 buckets usually allow only authorised users to access the contents; however, UpGuard reports the bucket was configured via permission settings to allow any AWS "Authenticated Users" to download its stored data."

        Alteryx or whatever the fuck their name is set moron permissions and exposed their sensitive data. Amazon can only do so much to engineer around pure stupidity.

        • by mysidia ( 191772 )

          What kind of bullshit was going through the idiot's brain when he added Any Authenticated User permission to a S3 bucket that would be used internally by their application ?

          There are at least two people who should be fired..... the Employee who added that ridiculous permission, AND the manager who failed to have auditing in place for AWS permissions.

          • any AWS "Authenticated Users is all AWS and not just all in your group??

            It's like windows ad where you think it's just any AD user on your domain or local system but is really any windows user on the web.

            • Many organizations have VPCs and any average person might think a setting of public means it is public within that context, not to the entire net. Am I wrong here or is a S3 bucket made public not to the world but to VPC. I tend to be careful, but cloud vendors really could improve this by making anything visible only to company VPC unless special effort is shown. I however do not think that this is an AWS fault in any way.
              Anyone responsible would test this before dumping a DB there.

          • You would be surprised how many people do not know or do not care to. I am talking about IT people, not Mom & Pop. The customer âoeJust wants it working!â Is the excuse. Other times people just do not want the authentication to be a factor in troubleshooting and forget to close access afterward.

            Many times, it is a bit of both. And the amount these people get paid (75k+), they should be fired for negligence. I once had to tell a client that they left their Sharepoint with sensitive data ope

  • Oh Noes! (Score:4, Insightful)

    by Shogun37 ( 1835726 ) on Tuesday December 19, 2017 @09:06PM (#55772613)
    The cloud is insecure! Who would have thought? A locally controlled cloud, or a contract that has incentives for the owners NOT to be pants on head, window licking morons, can be a good thing. However, most clouds (as far as I have seen) are about a secure as a screen door on a submarine. And as long as the owner of the cloud keeps making money, and writing contracts that absolve them of all responsibility, this will keep happening.
  • As for how this happened, ZDNet says, "the bucket was configured via permission settings to allow any AWS 'Authenticated Users' to download its stored data. Authenticated users are any user that has an AWS account."

    Hey, we had security protocols; that you find them inadequate, well, maybe that's a you problem.

  • So, we're just going to keep doing this I guess?

  • A private data analysis firm has detailed information on every American household.
  • Just how many more stories about GOP connected entities just haphazardly leaving tons upon tons of VOTER data on publicly available (or for foreign powers to use) do we need to see before we start taking action!
  • The I've been assured that the cloud is completely secure by many random people on Slashdot.
  • by Anonymous Coward

    No matter how secure the communications between the app on your phone and the cloud service...no matter how secure the passwords or TFA methods are to prohibit unauthorized access...no matter how many guards and locks they put on the server room...if the administrator runs a full backup and throws it into an insecure Amazon S3 bucket (or some other cloud provider's bucket)...or copies it onto a portable drive and leaves the drive on his front seat while he runs into the store...or he is tempted by an offer

  • Now instead of a mistake causing a server to be open to your intranet, it's now exposed to the entire internet on a platform constantly scanned for unsecured servers.

  • by Anonymous Coward

    Where is the data so I can check and see what they leaked about me?

  • For those wondering (Score:4, Informative)

    by Solandri ( 704621 ) on Wednesday December 20, 2017 @03:01AM (#55774053)
    123 million households is pretty much everyone in the U.S. [statista.com].
    • The 2013 number on that website is 122.46, and 2014 it's 123.23. I guess that the "ConsumerView_10_2013" name refers to October, so with 123 million rows I think it's safe to say that it includes ALL households.
  • If data about you has been compromised, clap your hands.

    But it is good to know these companies will pay a hefty fine, right? Right? Guys?

  • by ElizabethGreene ( 1185405 ) on Wednesday December 20, 2017 @11:11AM (#55775609)

    Where can I get a copy?

    I'd like to see how well de-identified it is.

Adapt. Enjoy. Survive.

Working...