A cybersecurity firm says it discovered a weakly protected database that was leaking personal information relating to millions of American households.
A cloud repository, found in October, reportedly exposed datasets belonging to a California-headquartered analytics company called Alteryx. Researchers say the leak included data from a number of its partners, including Experian and the US Census Bureau.
According to the Alteryx website, additional partners include Microsoft and Amazon Web Services.
It is trusted by "many of the world's largest and best known brands", an about page states.
One lengthy database with household data – seemingly compiled for marketing – was titled "ConsumerView." Coming in at 36GB in size, it held home addresses, mortgage data, financial records and contact details.
Another was the US Census Bureau's 2010 results, found in a self-extracting .exe format, experts said.
"Taken together, the exposed data reveals billions of personally identifying details and data points about virtually every American household," wrote Dan O'Sullivan, a threat researcher at UpGuard, which found the leaked files, in a blog post published Tuesday (19 December).
The "ConsumerView" database, packaged and sold to businesses, is advertised as containing "the largest and most comprehensive resource for traditional and digital marketing campaigns."
Indeed, an Experian brochure about the ConsumerView product from 2016 revealed that it holds "data on more than 300 million individuals and 126 million households".
Modern marketing executives use massive troves of consumer data to help tailor advertising campaigns and create strategies based on household demographics.
UpGuard said the database used "anonymised record IDs to identify households" – meaning no names were included – but noted that collectively it could likely identify US citizens.
The security company said that Alteryx offers a package called "Designer with Data" which is touted as having "analytics-ready demographic, segmentation, and firmographic data from Experian, D&B, the US Census Bureau, and more." That may explain the inclusion of ConsumerView.
The leaky cloud database has now been cordoned off from the internet, Alteryx has said. In a statement to Forbes, the firm claimed that exposed information "did not pose a risk" to consumers.
It stressed that the household records were all "aggregated and de-identified".
But UpGuard, which has revealed similar leaks in the past, indicated that the incident was more severe than Alteryx was admitting. "[The] data provides a highly detailed database of tens of millions of Americans' personal, financial, and private lives," O'Sullivan wrote.
The company blog post warned: "The exposure of massive amounts of data from three different enterprises in one cloud leak - including from a federal agency - reveals how the consequences of cyber insecurity can [...] quickly afflict partners and expose their data as well."