Another firm leaks personal info you never knew it had
Here’s a fun question to pose to the family dinner table: Have you ever heard of Alteryx?
Whether you have or not, chances are good that it’s heard of you. Alteryx is a dataanalytics company that makes its money by repackaging information it has collected from different sources. And it has become the latest reminder of how much data little-known companies have collected on us — and how little oversight there is over the security of it.
Earlier this week, an analyst from the security firm UpGuard said Alteryx had not protected information on 123 million U.S. households. (There are about 126 million total, according to the U.S. Census Bureau.)
The information did not include names but contained addresses, ethnicity, income and details about personal interests, which it gathered from Census Bureau data, the credit bureau Experian, as Forbes’s Thomas Brewster reported, and other sources. Alteryx’s collection of information was open for almost anyone to access, if they knew where to look, according to Chris Vickery, the UpGuard researcher.
Alteryx acknowledged in a statement that it had a security problem and said it had fixed it. “We take data security very seriously and have taken steps to help ensure that it doesn’t happen again.”
This data leak was discovered by a researcher and not (as far as we know) by a criminal. But it affects about as many people as the massive hack Equifax reported in September: 145.5 million Americans, or nearly every adult.
One reason these security problems are affecting so many people at once is that while there’s been an increase in the amount of data companies collect, there hasn’t been a bump in efforts to secure it. So a slip-up is “capable of exposing the vast majority of American households to compromise with one error,” UpGuard analyst Dan O’Connor said in a blog post.
The Alteryx leak follows another discovery by Vickery earlier this year. He found that a data firm called Deep Root hired by Republican candidates did not secure information it had collected on 198 million voters.
Data collection and analysis is a growing multibillion-dollar business, with thousands of firms. Alteryx, considered a relatively small company, reported $34.2 million in revenue in its last quarterly report. Bigger names such as Acxiom — which was the victim of a hack in 2005 that exposed 1.6 billion customer records — often report at least $900 million in revenue per year.
While there has been some fallout from these exposures — Equifax’s chief executive retired after its breach — repeated leaks haven’t changed industry standards for data security.
Companies have to comply with breach-notification laws, but there have been few legal consequences.
It’s difficult to connect the dots from information taken in specific breaches to specific crimes, given that the Internet is awash in stolen personal info. And efforts to improve cybersecurity standards, even after the Equifax breach, haven’t produced any new laws.
To read more, see www.washingtonpost.com/news/the-switch.