Security researchers at UpGuard have discovered an exposed database containing the personal data and behavioural profiles of over 120 million US individuals.
The misconfigured Amazon S3 bucket was discovered by an UpGuard analyst on February 3, to which the bucket was traced back to market analysis company Tetrad.
The database contained 747GB of data, to which almost half were in a directory named “client files”, and appeared to be data provided to and from Tetrad clients.
Some of the exposed data included a spreadsheet listing 4,000 actual and planned locations relevant to IBM Tririga deployments; a spreadsheet detailing over 700,000 online purchases made on Kate Spade’s e-commerce website; 3.8 million loyalty card accounts belonging to Bevmo; and a spreadsheet containing purchases from TSC.
Within the trove of data, a large subset of the files were labeled “Experian Mosaic” and contained the data of 120 million US households, including names, head of the household, gender, physical home address and Mosaic group ID code.
“Marketers and vendors collate this data to continuously refresh and refine a taxonomy of consumers similar to that in the Experian Mosaic model. Based on thousands of data points, Mosaic uses the buying patterns of households to detect clustered features and bucket the underlying complexity of millions of individuals into nameable social groups,” explained UpGuard.
It is unclear as to how long the data was exposed for, however Tetrad removed public access a week after being notified.
“Digital technology does not just enable the accumulation of behavioral data; it also makes possible the unintentional exposure of that data en masse. In this case, multiple data sources, from other companies’ data products like Experian Mosaic to retailers’ customer loyalty programs, were combined in one storage bucket that was misconfigured for public access,” UpGuard concluded.
“As a result, data that was collected by multiple entities, and affecting with varying degrees of intensity every household in the U.S., was made available not just to businesses and other intended audiences, but to anyone at all.”
The post #Privacy: Market analysis company exposes over 120m US consumers appeared first on PrivSec Report.