Following a report that it left data about more than 100 million households exposed on AWS, Alteryx’s CEO declared that the company has taken steps to ensure that it doesn’t happen again.
On December 20, the security firm UpGuard posted an account of how a cyber risk researcher discovered an under-protected S3 cloud bucket owned by Alteryx on the AWS cloud. The company said the storage bucket, dubbed “alteryxdownload,” contained a variety of data, including software releases and development files.
The bucket also contained a 36GB database file that UpGuard said contained detailed information on over 100 million American households. The file, which was dubbed “ConsumerView_10_2013”, carried a .yxdb file extension that identifies it as an Alteryx Database file.
According to UpGuard, that file had 123 million rows and 248 columns. Each of the columns corresponded with the personal details, preferences, and behavior of the associated household across a wide array of categories, including addresses, income, ethnicity, personal interests, magazine subscriptions, contact information, mortgage ownership, and financial histories.
Due to a misconfiguration of the S3 bucket, anybody with a verified AWS account could have downloaded the file, according to UpGuard, which also stated that the data originated from the credit reporting company Experian and its ConsumerView data offering.
The data in the vulnerable Alteryx file was anonymized, according to Upgrade, but the nature of the data, combined with other data stored in the bucket, was “sufficiently detailed as to be not merely often identifying, but with a high degree of specificity,” the security firm wrote.
Alteryx chairman and CEO Dean Stoecker responded to the UpGuard report on the same day.
“When we discovered this issue, we removed the file from AWS and also added a layer of additional security to the AWS bucket where the file was stored,” Stoecker stated in a blog post. “We will maintain a similar level of enhanced security for any dataset that we offer to our customers going forward.
“We take data security very seriously and have taken steps to help ensure that it doesn’t happen again,” he wrote.
Stoecker confirmed that the dataset originated with Experian, but disputed reports that the file contained personally identifiable information.
“This dataset is commercially available from Experian and provides some location information, contact information, and other estimated information that is used for marketing purposes,” the Alteryx CEO wrote. “It does not include names, credit card numbers, Social Security numbers, bank account information or passwords. Some media outlets reported that the dataset included this type of information, which is not true.”
Irvine, California-based Alteryx develops a suite of data analytics tools. The company is perhaps best known for its data preparation and blending tools, but is expanding its reach into other product areas, including data visualization, data discovery and collaboration, and automating data science workflows.
In addition to selling tools, Alteryx provides detailed marketing data to its customers through partnership with Experian, Dun & Bradstreet, and the US Census Bureau.
Alteryx went public less than a year ago. On the day the breach was made public, Alteryx’s stock, which is traded on the New York Stock Exchange under the symbol AYX, lost about 6% of its value. It has since made up that loss.