US data analytics provider Alteryx has left an Amazon S3 storage bucket exposed online, leaking the sensitive details of over 123 million US households in the process.
The unprotected server was found by US cyber-security firm UpGuard, which also discovered a similar Amazon S3 server containing sensitive NSA files, and another leaky S3 server containing data from the US Army's CENTCOM and PACOM divisions.
Just like in previous cases, database administrators had left the server's content exposed to anyone that was accessing an easy-discoverable URL while logged into an Amazon account.
While the Alteryx database contained all sorts of data, the two most important files were two database archives belonging to Alteryx business partners, US consumer credit reporting agency Experian and the US Census Bureau.
While the data belonging to the US Census Bureau —the 2010 census results — were already publicly available on the Bureau's Census website, the Experian data was never meant to be exposed.
The Experian data was stored in a file named "ConsumerView_10_2013.yxdb and contained what UpGuard researchers described as the "personally identifying details and data points about virtually every American household."
More precisely, the database contained over 3.5 billion details for over 123 million American households.
The data included both personally identifiable information such as addresses, home details, contact information, or homeowner ethnicity, but also financial details such as mortgage status, financial histories, and purchase behavior.
Considering the data belonged to Experian, you can expect any piece of personal and financial details used in credit reporting to be cataloged in the database.
The good news is that the data is somewhat old, the file being dated to 2013. The bad news is that while the data on each person was anonymized and did not include names, the database contained home addresses, which is just as bad.
"Private information across multiple fields such as addresses and banking info can easily be correlated with names," Atiq Raza, CEO of Virsec Systems told Bleeping Computer in an email, confirming that the lack of names will not be an issue for attackers.
While it is unclear if someone else besides UpGuard researchers discovered and downloaded the data, almost all the users contained in the database are now exposed to identity theft and phantom debt.
According to UpGuard, the problem at the heart of this leak, along with the NSA and US Army exposures, is the same, and that's contractors that do not adhere to the same security standards practiced by the company that outsources services —data mining and analytics, in this case.