Earlier this week, cybersecurity firm UpGuard reported that cloud-based data storage from Alteryx, a data analytics firm, had left the personal information of 123 million Americans exposed. Alteryx is a partner of both Experian, the credit monitoring firm, and the U.S. Census Bureau. Although the Census data was already publicly available, when coupled with the sensitive Experian information, UpGuard raised concern that the exposed information could impact nearly every household in the country.
What information was exposed?
The exposed information included highly detailed consumer information, such as purchasing behavior, mortgage history, home addresses, contact information, even a gender breakdown and magazine subscription analysis. The data set was anonymized, so names were not part of the exposed data set.
UpGuard has listed every field of information exposed in their report about the leak.
How did this happen?
UpGuard discovered that Alteryx had a misconfigured Amazon Web Services S3cloud storage bucket, which allowed any user with an Amazon AWS account to download the data. In addition to the consumer information files, there were also client product updates and development files.
Alteryx has since secured their storage bucket, but it’s not known how long it went unsecured.
How worried should I be?
Alteryx said in a comment that consumers do not need to be worried, however this is a concerning leak because of the highly specific and sensitive nature of the information, and because no one knows how long it’s been unsecured or who has had access to it. So while you likely don’t need to be at DEFCON 1, you should definitely maintain vigilance at monitoring your personal information.
What can I do?
If you’re a PrivacyArmor® user, you don’t need to do anything. We’re always monitoring for any high-risk activity that takes place with your credit, financial accounts, or other sensitive personal information, and we’ll let you know if we find something.
If any personal information has been exposed or your identity compromised, remember that we offer fraud remediation and identity theft insurance. We’ve got this.
If you don’t use PrivacyArmor
To check if your personal information has been compromised in this leak or any other hack, we’ll reiterate the steps we outlined in the recent Uber hack, plus one specific to this leak.
1. Be on the lookout for spam
Because of the nature of the information in the exposed database, you may be at increased risk of even more spam than before. Stay alert, and keep in mind that the highly specific nature of the information means that you should remain certain that any contact you have with your car loan company, mortgage company, or any sort of home improvement company is definitely legitimate.
2. Obtain a copy of your credit report
Though it does not appear that Social Security numbers or credit card numbers were compromised in this leak, it’s still a good idea to play it safe and pull a copy of your credit report. Each of the large credit monitoring companies provides one free report every 12 months. If you haven’t pulled your free report yet this year, do so now with TransUnion, Equifax, and Experian.
Check each report thoroughly to make sure it is accurate, and keep the copies of your report in case you need them for future reference.
3. Monitor your credit
Get a service that will proactively monitor your credit scores and that will notify you when suspicious activity occurs. Note that many of these services will not protect you from sophisticated identity crimes, so you will bear the majority of the burden of proactive monitoring.
4. Consider freezing your credit or filing a fraud alert
Put a fraud alert on your credit report if someone has indeed misused your information. Putting a fraud alert on your credit account is free, and you only need to tell one of the three credit monitoring companies, as they’re obligated to inform the other two.
A fraud alert will make it harder for someone else to open accounts in your name, but mark your calendar because it only lasts 90 days. Just keep in mind that extending a fraud alert can be challenging, especially if you don’t have a police report.
Freezing your credit is a more secure and long-term solution than a fraud alert. Freezing your credit costs $10 at each credit bureau (so $30 total to freeze with all three), and you will have to call each company individually. A freeze will prevent anyone, even you, from opening an account in your name. If you need to open an account with your credit report, you can initiate a temporary thaw, though that also costs $10.
A credit freeze will not affect your credit score or prevent you from getting an annual credit report. If you want to learn more, check out the FTC’s credit freeze FAQs.
5. File your taxes early
It’s a good idea to file your taxes as early as you can, especially in light of this year’s Equifax breach. Doing so prevents anyone with your Social Security number from filing your taxes “for you” and receiving any refund you may be entitled to.