An­other firm leaks per­sonal info you never knew it had

The Washington Post - - FREE FOR ALL - HAY­LEY TSUKAYAMA

Here’s a fun ques­tion to pose to the fam­ily din­ner ta­ble: Have you ever heard of Al­teryx?

Whether you have or not, chances are good that it’s heard of you. Al­teryx is a data­an­a­lyt­ics com­pany that makes its money by repack­ag­ing in­for­ma­tion it has col­lected from dif­fer­ent sources. And it has be­come the lat­est re­minder of how much data lit­tle-known com­pa­nies have col­lected on us — and how lit­tle over­sight there is over the se­cu­rity of it.

Ear­lier this week, an an­a­lyst from the se­cu­rity firm UpGuard said Al­teryx had not pro­tected in­for­ma­tion on 123 mil­lion U.S. house­holds. (There are about 126 mil­lion to­tal, ac­cord­ing to the U.S. Cen­sus Bureau.)

The in­for­ma­tion did not in­clude names but con­tained ad­dresses, eth­nic­ity, in­come and de­tails about per­sonal in­ter­ests, which it gath­ered from Cen­sus Bureau data, the credit bureau Ex­pe­rian, as Forbes’s Thomas Brew­ster re­ported, and other sources. Al­teryx’s col­lec­tion of in­for­ma­tion was open for al­most any­one to ac­cess, if they knew where to look, ac­cord­ing to Chris Vickery, the UpGuard re­searcher.

Al­teryx ac­knowl­edged in a state­ment that it had a se­cu­rity prob­lem and said it had fixed it. “We take data se­cu­rity very se­ri­ously and have taken steps to help en­sure that it doesn’t hap­pen again.”

This data leak was dis­cov­ered by a re­searcher and not (as far as we know) by a crim­i­nal. But it af­fects about as many peo­ple as the mas­sive hack Equifax re­ported in Septem­ber: 145.5 mil­lion Amer­i­cans, or nearly ev­ery adult.

One rea­son these se­cu­rity prob­lems are af­fect­ing so many peo­ple at once is that while there’s been an in­crease in the amount of data com­pa­nies col­lect, there hasn’t been a bump in ef­forts to se­cure it. So a slip-up is “ca­pa­ble of ex­pos­ing the vast ma­jor­ity of Amer­i­can house­holds to com­pro­mise with one er­ror,” UpGuard an­a­lyst Dan O’Con­nor said in a blog post.

The Al­teryx leak fol­lows an­other dis­cov­ery by Vickery ear­lier this year. He found that a data firm called Deep Root hired by Repub­li­can can­di­dates did not se­cure in­for­ma­tion it had col­lected on 198 mil­lion vot­ers.

Data col­lec­tion and anal­y­sis is a grow­ing multi­bil­lion-dol­lar busi­ness, with thou­sands of firms. Al­teryx, con­sid­ered a rel­a­tively small com­pany, re­ported $34.2 mil­lion in rev­enue in its last quar­terly re­port. Big­ger names such as Acx­iom — which was the vic­tim of a hack in 2005 that ex­posed 1.6 bil­lion cus­tomer records — of­ten re­port at least $900 mil­lion in rev­enue per year.

While there has been some fall­out from these ex­po­sures — Equifax’s chief ex­ec­u­tive re­tired af­ter its breach — re­peated leaks haven’t changed in­dus­try stan­dards for data se­cu­rity.

Com­pa­nies have to com­ply with breach-no­ti­fi­ca­tion laws, but there have been few le­gal con­se­quences.

It’s dif­fi­cult to con­nect the dots from in­for­ma­tion taken in spe­cific breaches to spe­cific crimes, given that the In­ter­net is awash in stolen per­sonal info. And ef­forts to im­prove cy­ber­se­cu­rity stan­dards, even af­ter the Equifax breach, haven’t pro­duced any new laws.

To read more, see www.wash­ing­ton­post.com/news/the-switch.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.