Details of 120 million Americans leaked after partner put data on insecure AWS bucket

Personal data of millions of Americans put at risk - months after Equifax breach

The personal details of 120 million Americans were put at risk when a marketing firm that had rights to the data was found to be storing it in an insecure AWS bucket.

According to a security researcher, the Experian-generated data was sold on to marketing analytics company Alteryx. However, it kept this information in a incorrectly configured AWS bucket.

Speaking to Forbes about the breach, UpGuard cybersecurity specialist Chris Vickery claimed that Alteryx had been storing personal information that contained roughly 448 different fields.

As a result, anyone with a valid URL could access the data and share it across internet. Worse still, they didn't need any security details or have to pass any checks.

Vickery believes that the company was using the data for its Designer With Data product. The latter is sold to large corporations for a staggering $40,000.

The product relies on detailed consumer information, especially demographics such as property and mortgage information. Criminals could potentially use this information in their crimes.

Vickery got in touch with Alteryx to warn it about the vulnerability and a potential breach. The firm then secured the bucket and removed the flawed file.

In a statement supplied to Forbes, the company said: "Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider."

It added that the file was available to customers "who purchased and used this data for analytic purposes", continuing: "The information in the file does not pose a risk of identity theft to any consumers."

Forbes also contacted Experian, which denied any wrongdoing. It claimed that Alterrx was entirely responsible for looking after the personal data that it had supplied.

While the Experian spokesperson claimed that the file didn't contain any "identifiable" information, Vickery believes that there's enough data for criminals to de-anonimise and, thereby, to target people.

"If you cross-reference it with a voter registration database, or if you have records from an advertiser on the web, like a big web advertiser, you piece these things together and you've got a very accurate view of who someone is: what they like doing, where they work, where they live, how many kids they have," he said.