January 12, 2018

Luján and Schakowsky Push Data Analytics Company for Answers Following Significant Data Breach

[WASHINGTON, DC] – Reps. Ben Ray Luján (D-NM) and Jan Schakowsky (D-IL) this week sent a letter to the computer software and data analytics company Alteryx after it was disclosed in December that the company failed to properly secure sensitive consumer data  and accidentally exposed personal information affecting 123 million American households.

The data breach by Alteryx comes after a series of high profile data breaches including the disclosure of consumer data by the credit reporting agency Equifax and the ride-share company Uber.

In the letter to Alteryx, Luján and Shakowsky wrote:

“On December 20, 2017, Alteryx revealed that the company had accidentally exposed nonpublic marketing data on 123 million U.S. households from the consumer reporting agency Experian. The unsecured files also included publically available data from the U.S. Census Bureau.  Alteryx stored the files online using Amazon Web Services (AWS) and left them accessible to anyone with a free AWS account . . .”

“Companies in the consumer data industry collect and sell vast quantities of personal information that, if exposed, can leave consumers vulnerable to fraud, identity theft, and other abuses.  The Subcommittee on Digital Commerce and Consumer Protection has a longstanding interest in safeguarding the privacy and security of consumer information.  We therefore request a briefing on this incident with our staff and Committee staff before January 31, 2018”

The lawmakers also posed a series of questions to the company including:

·         How long did Alteryx leave the files exposed on AWS?  When and how did Alteryx discover that the files were exposed?  When did Alteryx remove the exposed files?

 

·         What specific categories of consumer information were exposed, and what are the sources of the information?

 

·         Does Alteryx know who or how many people   accessed the exposed files while they were publically available?

 

·         What were Alteryx’s internal data security policies at the time of this incident?  Has the company conducted an investigation to determine how and why the incident occurred?  What were the results of any investigation?

 

·         Is Alteryx changing its privacy and data security policies in light of this incident?

 

·         Is Alteryx offering or planning to offer any type of post-breach consumer protection service to consumers?”

 

Luján and Schakowsky noted that as massive data breaches become more frequent, companies must do more to protect their databases from intrusion. They also said consumers need a reliable way to get information about whether their personal information was compromised and the ability to take steps to protect themselves once a data breach is discovered.

 “Given the frequency of these massive data breaches, it is simply unacceptable for companies and the credit agencies who sell them this sensitive personal data to treat it so casually,” said Luján.  “We must give power back to consumers by requiring credit reporting agencies, and the companies to whom they sell sensitive consumer data, to properly address privacy and data concerns. They must also have procedures in place to notify consumers immediately when they become aware of security violations.”

Last year, Luján, Schakowsky and their Democratic colleagues on the Energy and Commerce Committee wrote a letter to Equifax Chairman and CEO Richard Smith seeking detailed information about how their massive data breach occurred, what steps Equifax was taking to make affected consumers whole, and what the company is doing to safeguard against security breaches in the future. Last month, the two legislators also wrote to the Federal Trade Commission (FTC) expressing significant concerns regarding Uber’s privacy and security practices.

 

-30-

January 11, 2018

 

 

Dean Stoecker

Chairman and Chief Executive Officer

Alteryx, Inc.

3345 Michelson Drive, Suite 400

Irvine, CA 92612

 

Dear Mr. Stoecker:

 

            We are writing to request a briefing on the recent disclosure that Alteryx, Inc. exposed personal information on almost every person in the United States by failing to secure online files containing hundreds of different categories of consumer data.  As a data analytics and marketing company, Alteryx collects and sells detailed information on consumers’ identities, finances, habits, preferences, and other attributes.[1]

 

On December 20, 2017, Alteryx revealed that the company had accidentally exposed nonpublic marketing data on 123 million U.S. households from the consumer reporting agency Experian.[2]  The unsecured files also included publically available data from the U.S. Census Bureau.[3]  Alteryx stored the files online using Amazon Web Services (AWS) and left them accessible to anyone with a free AWS account.[4]

 

            Alteryx has since removed the files from AWS, and has stated that the files did not contain names, Social Security numbers, passwords, or credit card numbers.[5]  However, 248 other types of personal information were exposed, including phone numbers, addresses, ethnicity, detailed financial and housing information, and information on children.[6]  Security researchers have warned that such data can easily be used to identify people when cross-referenced with public records and other available information.[7]

 

Companies in the consumer data industry collect and sell vast quantities of personal information that, if exposed, can leave consumers vulnerable to fraud, identity theft, and other abuses.  The Subcommittee on Digital Commerce and Consumer Protection has a longstanding interest in safeguarding the privacy and security of consumer information.  We therefore request a briefing on this incident with our staff and Committee staff before January 31, 2018.  Please be prepared to discuss the following questions:

 

1.      News reports have indicated that the exposed files contained a mix of public and private information from Experian, the U.S. Census Bureau, and other sources.   What specific categories of consumer information were exposed, and what are the sources of the information?

 

2.      How long did Alteryx leave the files exposed on AWS?  When and how did Alteryx discover that the files were exposed?  When did Alteryx remove the exposed files?

 

3.      Does Alteryx know who or how many people   accessed the exposed files while they were publically available?

 

4.      What were Alteryx’s internal data security policies at the time of this incident?  Has the company conducted an investigation to determine how and why the incident occurred?  What were the results of any investigation?

 

5.      Is Alteryx changing its privacy and data security policies in light of this incident?

 

6.      Did Experian, or any other company from whom Alteryx obtained consumer data, require that Alteryx have any privacy or data security standards before selling them the information contained in the exposed files?

 

7.      Is Alteryx offering or planning to offer any type of post-breach consumer protection service to consumers?

 

To schedule the briefing, please contact Graham Mason with Congressman Ben Ray Luján at (202) 225-6190 and Matt Hayward with Ranking Member Jan Schakowsky at (202) 225-2111.  Thank you for your prompt attention to this matter.

 

Sincerely,

 

          

Ben Ray Luján                                                           

Member                                                                       

Subcommittee on Digital Commerce and Consumer Protection     

 

Jan Schakowsky  

Ranking Member                     

Subcommittee on Digital Commerce and Consumer Protection                                       



[1]You May Not Know Much About the Companies Exposing Your Personal Information.  But They Know a Lot About You., Washington Post (Dec. 22, 2017); UpGuard, Home Economics: How Life in 123 Million American Households Was Exposed Online (www.upguard.com/breaches/cloud-leak-alteryx) (accessed Jan. 3, 2017).

[2]Alteryx Data Breach Exposed 123 Million American Households' Information, Los Angeles Times (Dec. 22, 2017).

[3]United States Census Bureau, U.S. Census Bureau Data Not Part of Reported Leak of Personally Identifiable Information from 123 Million Households (Dec. 21, 2017) (press release).

[4]120 Million American Households Exposed In ‘Massive’ ConsumerView Database Leak, Forbes (Dec. 19, 2017).

[5]Alteryx Community Analytics Blog, Third-Party Marketing Data (community.alteryx.com/t5/Analytics-Blog/Third-Party-Marketing-Data/ba-p/106911) (accessed Jan. 3, 2017).

[6]UpGuard, Home Economics: How Life in 123 Million American Households Was Exposed Online (www.upguard.com/breaches/cloud-leak-alteryx) (accessed Jan. 3, 2017).

[7]Data Breach Exposes 123 Million U.S. Households, Fortune (Dec. 22, 2017); A 10-Digit Key Code to Your Private Life: Your Cellphone Number, New York Times (Nov. 12, 2016).