Over 120 Million US Consumers Exposed in Privacy Snafu

Security researchers have discovered a publicly exposed cloud database containing personal data and behavioral profiles on 120 million Americans.

Security company UpGuard found the misconfigured Amazon S3 bucket on February 3 this year, eventually tracing it back to market analysis company Tetrad.

Around half of the 747GB trove appears to have been sourced from client organizations.

It included: data extracted from Chipotle employees’ mobile phones for tracking, a spreadsheet containing the home addresses of 700,000 Kate Spade customers and 3.5 million loyalty card accounts for beverage retailer Bevmo, including physical address tied to each account

The database also featured 10GB of data from the Experian Mosaic consumer behavior product. UpGuard discovered 130 million rows of this information including the address of each household and the name/names of the heads of the household, plus their gender and other details.

Companies like Tetrad use this information to map consumers ascribed to various Mosaic categories by buying behavior to their geographical location, so that when retailers want to build a new store, they know to do so close to clusters of potential customers.

The result was a database of 120 million Americans including full name, gender, address and “type” of consumer. It’s unclear how long it was exposed for, although Tetrad is said to have finally closed access a week after first being notified.

“Digital technology does not just enable the accumulation of behavioral data; it also makes possible the unintentional exposure of that data en masse. In this case, multiple data sources, from other companies’ data products like Experian Mosaic to retailers’ customer loyalty programs, were combined in one storage bucket that was misconfigured for public access,” concluded UpGuard.

“As a result, data that was collected by multiple entities, and affecting with varying degrees of intensity every household in the US, was made available not just to businesses and other intended audiences, but to anyone at all.”

What’s Hot on Infosecurity Magazine?