Alteryx, a company apparently aggregating all kinds of data under contract for Experian is the latest company to leave their S3 buckets is a wide-open, world-readable state. And while a lot of the data seems to be public information anyway, there are some very sensitive items in there, including financial information.
From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers. While, in the words of Experian, “protecting consumers is our top priority,” the accumulation of this data in “compliance with legal guidelines,” only to then see it left downloadable on the public internet, exposes affected consumers to large-scale misuse of their information - whether through spamming and unwanted direct marketing, organized fraud techniques like “phantom debt collection,” or through the use of personal details for identity theft and security verification.
We’ve read plenty of articles about S3 buckets left wide open to anyone to read. But even if you properly configure your read permissions, did you know someone might still have the ability to write to your bucket? Ya, really. UpGuard has the details.
Be secure out there!
— PF