Cloud database security cleanup on aisle 4: Alteryx breach a capper for 2017

Every household in America (almost): That’s the scale of the latest leak of personal data.

Experian’s enormous ConsumerView database was publicly available in an Amazon S3 bucket owned by Alteryx, Inc. All 123 million records of it.

How can you avoid being next? In this week’s Security Blogwatch, we learn the lessons that others ignored.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  EDM2017 

App Sec Research Update: Top 5 application security risks

What’s the craic? Thomas Fox-Brewster cunningly calls it extraordinary:

Information on more than 120 million American households was sitting … exposed.

It included an extraordinary range of personal details … 248 different data fields for each household. … The data was sitting in an Amazon Web Services storage "bucket," left open to anyone.

The data … was left online by marketing analytics company Alteryx. … The firm had purchased the information from Experian.

After being informed … the company took action and secured the database from public view last week. … Alteryx played down the severity of the leak: … "The file contained no names of any individuals or any other personal identifying information. … The information in the file does not pose a risk of identity theft to any consumers."

Experian [said] "This is an Alteryx issue, and does not involve any Experian systems."

Oh, no PII. So that’s okay then, right? Tara Seals disagrees:

As more and more collation takes place, across many different sources, these databases become fingerprints—troves of information that provide a startlingly complete picture of each individual. … It remains to be seen what information has fallen into bad actors’ hands.

The scale of the issue puts it in the running with the infamous Equifax incident, as it touches virtually every American household. … Exposed within the repository are massive data sets belonging to Alteryx partners Experian … and the US Census Bureau.

At issue is once again an Amazon Web Services S3 cloud storage bucket that was misconfigured and inadvertently left open to the public internet. [Which] could mean … organized fraud techniques like phantom debt collection, identity theft and security verification.

Who discovered it? UpGuard’s Chris Vickery, here channeled by Dan O'Sullivan:

The exposed data reveals billions of personally identifying details … about virtually every American household. From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, [it’s] a remarkably invasive glimpse into the lives of American consumers.

The continuing concentration of data by a number of large enterprises … has not been accompanied by greater prudence and process. … Data exposures such as this are capable of exposing the vast majority of American households to compromise with one error.

While the spreadsheet uses anonymized record IDs to identify households, the other information [is] sufficiently detailed as to be not merely often identifying, but with a high degree of specificity. … This exposed data provides a highly detailed database of tens of millions of Americans’ personal, financial, and private lives.

Experian's ConsumerView information is proprietary, sold only to other enterprises; how do you ensure an external partner or vendor to whom you are entrusting your data in this way ensures it remains secure? … This is an enormous problem facing the IT landscape today. … Most enterprises lack the ability to even assess the security postures of external vendors.

Who’s first to comment? How about mikele11111?

Addresses don't constitute personally identifying information?

An address is almost as good as it gets next to a SSN when it comes to getting identifying details on someone.

Troy Hunt reckons education is a fundamentally sensible idea:

We have a data breach problem. [And] things are going downhill in a hurry.

You know the old "prevention is better than cure" idiom? Nowhere is it truer than with data breaches. … Every single one of them can be traced back to a mistake made by humans.

Part of the challenge here is that people simply don't know that there's a big part of their knowledge missing. … They have no idea that they have a massive deficiency in their competency.

Education is the best ROI on security spend. … It's cheap … has enormous upside [and] you leverage it over and over again.

Before coming up with his solution, Ray Knapp sleeps on it: [You’re fired—Ed.]

Send the entire board of these companies to jail, for a year.
This will immediately stop these breaches, every time there is a breach of personal data it should be automatic jail time no if ands or buts.

And RcouF1uZ4gsC is easy for you to say:

Personal data right now is considered an asset. It needs to be seen as a liability.

There must be a way to track from when a consumer input the data all the way through. Fraud in regards to this provenance is punishable by jail time.
If you have data that does not have provenance, the company will be severely fined and people will go to jail. In the event of any data breach, not only will the company that had the breach be [punished], all companies that provided the data to the company … that had the breach will also be punished.

But lima looks abroad:

In Europe, especially with the upcoming GDPR laws, data is seen as a liability by many companies.

[This] means that companies need to think twice before storing it — if the data is sufficiently valuable, companies will still store it, but they have to manage it properly and mitigate risks since penalties are harsh.

But what of Amazon Web Services? mcheshier suggestifies:

My biggest problem with S3 is the old multi-layered security model with bucket policies and ACLs.
They need to update it to just use IAM like everything else.

And here’s leonbev:

Amazon has been sending their customers warnings about misconfigured S3 buckets for awhile now. In order for something like this to happen, a customer would have ignored these warnings for the past 9 months.

So, yeah, someone probably deserves to be fired.

If true, gfody’s story is an astounding indictment: 

I worked at Experian and had access to ConsumerView by way of any number of crazy integration schemes … perpetually making a mockery of security protocols in order to meet deadlines and please clients.

Pretty much anyone with network access could download a copy and walk out with it.

Meanwhile, houghi looks on the bright side:

But it is good to know these companies will pay a hefty fine, right?
Right? Guys?

The moral of the story? Urgently review your cloud-storage policies, IAM, ACLs, etc. And if you share sensitive data with partners, how are you auditing that?

And finally …

Best EDM of 2017, according to DJs from Mars 

Bonus linkage: The History of EDM

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

App Sec Research Update: Top 5 application security risks
Topics: Security