back to article This week in 'Bungles in the AWS S3 Privacy Jungles', we present Alteryx – and 123 million households exposed

Yet another misconfigured Amazon-hosted cloud storage bucket has been discovered – this one flashing the personal information of roughly 123 million American households to anyone passing by on the internet. The public-facing database belonged to analytics biz Alteryx, and its bungled security was discovered and reported by …

  1. Long John Brass Silver badge
    FAIL

    Oh for fsck sake

    It will later be announced that the engineer responsible has been found and scapegoated

    The fact that the poor bastard will have had orders from on high to do it and an e-mail chain querying the sanity of it all. After all, manglers never get *THEIR* hands dirty.

    Jesus wept.

    1. Semtex451 Silver badge

      Re: Oh for fsck sake

      On the upside, anyone believing Experian data will think that I’m a modern Robin f’ing Hood

    2. Muscleguy Silver badge

      Re: Oh for fsck sake

      What's the betting it was set so because a senior exec out of the office couldn't access it and demanded the layers be 'simplified'? That is often the reason for such things.

      Heaven forfend that a suit should have to be tech literate and competent.

      1. Sil

        Re: Oh for fsck sake

        Reminds me of executives of large multinationals asking their IT staff to compromise the security of their information systems to be able to access confidential data on their iPads.

      2. rmason Silver badge

        Re: Oh for fsck sake

        This.

        some poor sod will get fired, despite having an email from a C-level fuckwit complaining about contractors needing access, his wife who "does the website stuff" for 100k a year needing a look etc etc.

        "JUST MAKE IT FUCKING WORK, DAVE."

  2. Mephistro Silver badge
    Devil

    It would be nice if...

    ... an anonymous hacker had thoroughly corrupted the database, eg. by randomly swapping names, addresses, phone numbers. This would make Alteryx pay more attention next time and also provide ElReg's readers with entertainment for months!. ;O)

    1. Anonymous Coward
      Anonymous Coward

      Re: It would be nice if...

      I was just about to post along those same lines, so enjoy a pint on me.

      Another amusing trick would have been for the hacker to replace all the phone numbers with those of the C-level execs, all the physical & email address' with those of those same execs, so anyone attempting to use the data invariably ended up harassing the very company that screwed the pooch.

      Oh, and then located the back up path, hunted down said backups, & *deleted them all*.

      Bastards need to be the first against the wall when the revolution comes...

      1. Hans 1 Silver badge
        Unhappy

        Re: It would be nice if...

        Bastards need to be the first against the wall when the revolution comes...

        It will certainly not be televised!

    2. bombastic bob Silver badge
      Devil

      Re: It would be nice if...

      just have their servers send out a one-time e-mailing of all stored data on every individual TO that individual. "This is what we know about you:" etc.

      Then we'd get to see the public outrage!

    3. Stuart Castle

      Re: It would be nice if...

      It would, but the hacker would need to announce it. Otherwise, how would they spot it?

  3. Anonymous Coward
    Anonymous Coward

    This latest S3 clusterfuck deserves....

    A Washington subpoena and public Q/A testimony... Shame them, then fine them! Why are hackers-cybercrims winning the Datawars? You guessed it!

  4. Anne-Lise Pasch

    Experian business model:

    1. Take your data without explicit permission

    2. Not allow you to see your own data without a fee

    3. Charge you to fix it

    4. Sell it

    5. Lose it

    6. Sell services explaining how not to lose it like Experian

    7. Fine you for suing them over lost data

    8. Cross sell insurance to you in case someone uses the data they lost against you

    This is somehow legal.

    1. Version 1.0 Silver badge

      It's the standard 'merican business model ... I think they cover this at the Harvard Business School 101 level courses.

  5. Gordon 10 Silver badge
    Facepalm

    FTFY

    "We will maintain a similar level of enhanced security apply standard S3 security for any dataset that we offer to our customers going forward.

    He means that they switched the default security permissions back on... "enhanced" me arse.

  6. Anonymous Coward
    Anonymous Coward

    I see it now....it's very clever.

    All these companies are deliberately leaking data now, then when GDPR kicks in, they can say "Oh no, all that info on the internet was from last years leak...honest"

  7. TrumpSlurp the Troll Silver badge
    Trollface

    There's a hole in my bucket

    Ancient folk wisdom at its finest.

    1. Zippy's Sausage Factory

      Re: There's a hole in my bucket

      They used to sing that song at my school and it used to drive me insane. Hated it.

      I almost changed my mind a bit when I heard the Harry Belafonte version, recorded live. When he gets to the end there's just this delicious silence from the crowd awaiting the punchline.

      I just decided I needed to listen to more concert recordings, really.

  8. Anonymous Coward
    Anonymous Coward

    Mmmm? Data leak you say?

    Is it me or does the woman in the picture have some hair undeneath her left shoulder strap but none on her shoulder? Why is her left shoulder strap thinner than he right one and does the refracted light from her spectacles give her a nasty sized scar on the right side of her face? At least one of her finger nails matches the dress colour but she also looks somewhat squeezed - like she was scaled without constraint.

    Yes, I'm that bored.

    1. Wensleydale Cheese Silver badge

      Re: Mmmm? Data leak you say?

      "Is it me or does the woman in the picture have some hair undeneath her left shoulder strap but none on her shoulder? ..."

      You need to look at the accompanying text. Concentrate on the bold bits

      Yet another misconfigured Amazon-hosted cloud storage bucket has been discovered – this one flashing the personal information of roughly 123 million American households to anyone passing by on the internet.

      Quite clever if you see it.

  9. Flywheel Silver badge

    Presumably, when these idiots set up the bucket, no-one thinks of maybe doing a test from outside the network to see if it's visible (maybe using a mobile phone) ? Not rocket science is it?!

  10. AndrueC Silver badge
    Facepalm

    many companies opt for the more convenient route of setting the buckets to allow access to anyone with an AWS account.

    Really? Why does such an option even exist? That's barely one step above accessible to all.

    1. P. Lee Silver badge

      >Why does such an option even exist? That's barely one step above accessible to all.

      Perhaps because it's Amazon Web Services?

      In the olden days, when I was a lad, we had three tiers: Presentation, Application and Data in our networks. Only the first was accessible from the internet. There was a good reason for that.

      Then, in order to cut costs, we cut layers out of the network and we put our data layer directly on the internet. That means that when we mess up, as fallible humans are wont to do, it immediately becomes both obvious and damaging. However, if you are a large enough company, the impact probably isn't that high.

      Security is hard and it impedes the flow of money. So why not "simplify" the design and just blame the engineers for mistakes?

  11. GrapeBunch Bronze badge

    Where I live, I can't see the gov't copy of a much-removed cousin's birth certificate until 110 years have passed. To protect identities. I suppose the excuse for releasing 2010 census info is that it is anonymized. So the company put the census results together with other scrapings and thus de-anonymized it. Shouldn't that be illegal?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019