Open AWS S3 Bucket Exposes 123 Million US Households

Data Leak

Year end surprise? A cloud based data repository belonging to Alteryx has been found to publicly expose datasets from its partners, Experian and the US Census Bureau.

Sensitive personal information on 123 million households in the country has been leaked out.

Data leaks like these have definitely become a regular occurrence now, with organizations like ABC, Viacom, Time Warner Cable, Verizon, Dow Jones, even the US military at risk.

You have to thank UpGuard for this latest instance, who revealed this AWS misconfiguration error that resulted in one of the largest yet. And worse yet, this was 100% avoidable, as were many of the abovementioned cases.

According to the report, the S3 cloud storage bucket in question allowed access to AWS authenticated users, which in practical terms means that any of the million plus users that have an Amazon Web Services account could have accessed this information.

The S3 silo contained records that Alteryx had obtained from credit check company Experian, as well as the 2010 American Census data. The census records are publicly available, but the Experian dataset is commercially available.

UpGuard says that all put together, the S3 bucket contained home addresses and contact information of these users, as well as details of mortgage ownership, financial histories, and even specific analysis of purchasing behavior.

Which could potentially have been a goldmine for identity thieves and fraudsters.

Luckily, the S3 bucket in question has been locked down.

But one can safely say that 2017 has been the year of leaky AWS S3 data buckets. The leaks just kept coming and coming, and got larger and larger as the year progressed.

Hopefully 2018 fares better.

Much better.