By Hayley Tsukayama / The Washington Post
Here’s a fun question to pose to the family dinner table: Have you ever heard of Alteryx?
Whether you have or not, chances are good that it’s heard of you. Alteryx is a data analytics company that makes its money by repackaging data that it’s collected from different sources. And it became the latest reminder of how much data little-known companies have collected on us — and how little oversight there is over the security of that data.
Earlier this week, an analyst from the security firm Upguard shared that Alteryx had not properly protected detailed information it had collected on 123 million U.S. households (All told, there are about 126 million American households, according to the Census Bureau.) The information included addresses, information on ethnicity, income and even details about personal interests, which it gathered from U.S. Census Bureau data, the credit bureau Experian as Forbes’s Thomas Brewster reported, and other sources.
When combined, several security experts said, the firm’s data would have made it easy to identify someone — even though no names were attached to those profiles. Alteryx’s collection of information was open for almost anyone to access, if they knew where to look, according to Chris Vickery, the UpGuard researcher.
Alteryx acknowledged that it had a security problem and said that it had fixed it. “We take data security very seriously and have taken steps to help ensure that it doesn’t happen again.”
This data leak was discovered by a researcher, and not (as far as we know) by a criminal. But the leak affects about as many people as the massive hack Equifax reported in September, which affected 145.5 million Americans, or nearly every adult.
One reason these security issues are affecting so many people at once is that while there’s been an increase in the amount of data companies collect, there hasn’t been a similar bump in efforts to secure it. So a slip-up at a place such as Alteryx is “capable of exposing the vast majority of American households to compromise with one error,” said UpGuard analyst Dan O’Connor.
The Alteryx leak follows another Vickery discovery earlier this year, when he found that a data firm called Deep Root hired by Republican candidates failed to secure information it had collected on 198 million people. That left the information such as people’s voter registration data and social media posts, open to anyone who went looking for it.
Data collection and analysis is a strong and growing multibillion dollar business, with thousands of firms. Alteryx, which is considered a relatively small data collection company, reported $34.2 million in revenue in its last quarterly report. Bigger names such as Axciom — which was the victim of a hack in 2005 that exposed 1.6 billion customer records — often report at least $900 million in revenue per year.
While there has been some fallout from breaches — Equifax’s chief executive retired after its breach, for example — repeated leaks don’t seem to have changed industry standards for data security. Data mining companies do have to comply with data breach notification laws, but there have been few legal consequences for breaches. It’s difficult to connect the dots from information taken in specific breaches to specific crimes, given that the internet is awash in stolen personal information.
“This is the latest example of organizations not applying stringent security to data in the cloud, and then underestimating the potential damage,” said Atiq Raza, chief executive of the cybersecurity company Virsec Systems.
Members of Congress and the Federal Trade Commission have previously questioned whether this sort of data collection is a violation of privacy. In the wake of these breaches, that concern is being coupled with the worry that these companies are not only amassing huge troves of data, but also not doing enough to protect them or tell people about their security failures.
Yet legislation to address either problem hasn’t had much success. Even after the Equifax breach, several lawmakers called for stronger rules that compel companies to meet minimum cybersecurity standards and to be better about letting people know when companies have failed to secure their information. But, as in years past, these efforts have yet to produce any new laws.
In the meantime, the average person can do little except monitor their credit reports and hope that contrite companies — shamed by security researchers — will learn from their mistakes.