
120M American Households Exposed In 'Massive' ConsumerView Database Leak - wglb
https://www.forbes.com/sites/thomasbrewster/2017/12/19/120m-american-households-exposed-in-massive-consumerview-database-leak/#412ed5e37961
======
RcouF1uZ4gsC
Personal data right now is considered an asset. It needs to be seen as a
liability.

Maybe the solution is a data tax. You pay a set amount every year for every
piece of personal data you have. If you buy personal data from another
company, you still have to pay the tax for the data you acquired.

If you have a breach of data, your tax goes up for a period of 10 years.

In addition, every piece of personal data needs to have provenance which must
be tracked. There must be a way to track from when a consumer input the data
all the way through. Fraud in regards to this provenance is punishable by jail
time. If you have data that does not have provenance, the company will be
severely fined and people will go to jail. In the event of any data breach,
not only will the company that had the breach be taxed extra, all companies
that provided the data to the company (which is in the provenance information
for the data) that had the breach will also be punished with increased data
taxes.

EDIT:

In addition, maybe require annual personal data reports. The reports should
contain

Amount of personal data.

Amount of personal data last year.

Data breaches.

Amount of personal data acquired directly from consumers.

Amount of personal data purchased and from whom at what prices.

Amount of personal data sold and to whom for what price.

This will be a filing to a government agency every year on penalty of perjury
and be signed by all the board members and the c-suite. This will be publicly
made available by the government. That way people can see what is happening
with their data, and who is profiting off their data.

~~~
drspacemonkey
Instead of a data tax, I like the idea of mandatory data insurance, with
payouts to users whose data is leaked/stolen. If your company has shitty
security, or a history of leaks, your data insurance provider will charge out
the ass.

The financial math has to clearly be on the side of it being more profitable
to practice proactive security.

~~~
JumpCrisscross
> _I like the idea of mandatory data insurance_

Why not just liability for lost data? Companies could then choose to hold the
risk themselves or field it out to insurers.

~~~
RevHaze
If it doesn't need to be insured, you could just spin off a smaller entity
responsible for holding the data for you, and shut the company down if the
data leaks. You can do the same if insurance is required of course, but any
brand new 'personal data holding' company would likely have very high
insurance premiums to offset the risk.

~~~
extrapickles
Its fairly common in the temp employee industry that if a temp worker gets
injured the temp agency folds and restarts to avoid the penalties.

It would be nice to require insurance or a bond to hold personal data so a
company can't just disappear when data is lost.

[0]: [http://projects.thestar.com/temp-employment-
agencies/](http://projects.thestar.com/temp-employment-agencies/)

~~~
ticviking
And people wonder why I am so hostile to the our way of creating and governing
corporations, and our way of divorcing business from the lives and reputations
of of those who run it.

~~~
unclebucknasty
While simultaneously championing corporate personhood.

------
jordonwii
The linked article is not very good imo. It goes into almost no detail,
despite including two directly contradictory statements: "Yet another cloud
storage misconfiguration has exposed personally identifiable information
(PII)" and "the data in question contained no names of any individuals or any
other personal identifying information"

Can we change this to link to the Forbes article referenced in the linked one?
It goes into substantially more detail, including reconciling the researcher's
claim with Experian's.
[https://www.forbes.com/sites/thomasbrewster/2017/12/19/120m-...](https://www.forbes.com/sites/thomasbrewster/2017/12/19/120m-american-
households-exposed-in-massive-consumerview-database-leak/#707af8c47961)

edit: didn't even notice the substantially more click-baity headline "Every
single American household" vs. "120 million American households".

~~~
stephengillie
The Forbes article also points out that the DB is now secured. I have 2 take-
aways:

1\. This isn't an announcement that our details have been leaked, so much as a
reminder that our details are now and will perpetually be leaked, in one form
or another by an externalized party.

2\. Databases mapping all American households exist.

~~~
figgis
| 2. Databases mapping all American households exist.

And they can be pretty comprehensive. Short anecdote but the last time I
moved, and before I had updated any address information on my accounts/ID, the
first piece of non-forwarded mail I received addressed to me was a credit card
offer from AMEX. I still have absolutely no clue how they knew where exactly
to send it to me.

~~~
scoggs
I'm assuming a lot here but there is always the chance that your door-to-door
post man or woman went to deliver any generic piece of mail to your old
address only to find out you no longer lived there. I'm fairly sure there is a
mechanism in place where a post man or post office can set a recipient as
"moved" or "moving" to let the entire postal system know that until that
recipients new address is figured out that no mail should be going to the old
address.

That said the cynic in me won't allow the positive optimist within me to win
this one. While I do believe there to be many wonderful postal workers I am
going to assume that corporate greed is winning out over the kindness and
caring of the human heart in this specific situation :(

~~~
pathseeker
There is that mechanism but you have to trigger it yourself via the USPS
website or by going to the local post office.

------
modeless
Apparently anyone who wants this data can simply purchase it from Experian.
The leak doesn't change anything except the price.

~~~
dboreham
Back in the day (20 years ago) you could buy a CD with everyone's name,
address, phone number and so on..

~~~
ghaff
Lotus Marketplace cause quite a stir back in the day. Seems rather quaint
today.
[https://en.wikipedia.org/wiki/Lotus_Marketplace](https://en.wikipedia.org/wiki/Lotus_Marketplace)

My understanding is the information was readily available to businesses from
other sources. It just popped up on people's radar because Lotus was such a
high profile company at the time.

------
ams6110
At this point the only reasonable conclusion is that all of your bio/demo,
employment, residential history, medical history, insurance claims history,
credit history, etc is exposed. These things are no longer valid for identity
verification.

------
lgierth
Here's the report from UpGuard, who found the breach:
[https://www.upguard.com/breaches/cloud-leak-
alteryx](https://www.upguard.com/breaches/cloud-leak-alteryx)

It has more detailed information about the dataset.

~~~
pishpash
Exactly this. Data intermediaries should only be notaries.

------
makecheck
All personal information sharing should now be purely digital and encryption-
keyed. We have all of the protocols, interconnected networking and ubiquitous
computing necessary to make it practical.

The only “data” any organization should receive is an encrypted blob that is
constructed using the key of the person who owns the data and the key of the
entity that was directly given the data. Furthermore, the encoded blob should
have a date of encoding and a duration of validity. In other words: “I, John
Q. Public, authorize You, DataLosingMegaCorp, Inc., to receive This Blob,
which is valid for 6 months or until either party revokes the key”.

Other public systems in society should be upgraded to require additional
layers of security. Want to send commercial snail mail to my home address?
Great: please provide the postal service with a one-time authorization code
that you received from me (after all, you _are_ using an address given to you
by me and not bought from somebody else, right?).

Another nice feature would be for data to include bank deposit info for the
data owner and bank withdrawl info for the data-receiving entity, where EVERY
SINGLE TIME your data is decrypted you receive a cash deposit from the data-
receiving entity. And make it sting, a lot: I want it to cost real dollars to
use data (and of course, I can still revoke my key at any time if you still
manage to do something stupid with my data).

~~~
ThrustVectoring
A big problem with this is that a lot of data _about_ you isn't _owned by_
you. The fact that you took out credit card X on Y date and have paid the
balance on time since then is owned by the credit card company you do business
with (well, it belongs to you too, but businesses are more willing to trust
Chase than you). This information has real business value from being a leading
indicator and costly signal of your future propensity to repay debts.

~~~
CaptSpify
At the risk of speaking for OP: The point is that the data _should_ be owned
by me. Yeah, I get that it has value to other people, but I'm the one that has
to deal with the fallout, not them. Just because something is useful to a
business doesn't mean that they have the right to it. If they want information
about me, they should be asking me, not some third party.

~~~
yjftsjthsd-h
I don't disagree, but then how do we trust it? I suppose (thinking out loud)
that we could have everyone on your credit report sign it, but then encrypt it
to your public key? That way only you can let others see it, but it's still
tamper-proof.

~~~
ThrustVectoring
There's a legit need for tampering, though - to arbitrate disputes between
creditors and debtors. Also to comply with the Fair Credit Reporting Act. So
there's _four_ parties that contribute to the document:

1\. Credit applicants, who release all-or-none of their credit report
information, and can see it at any point in time. Means it needs to be stored
encrypted with their public key.

2\. Creditors, who can add, edit, and remove information from someone's credit
report. Presumably this adds a way to verify that the addition/edit/deletion
is from them and not some other party (sign with private key).

3\. Other creditors, who can - with approval - view an applicant's credit
report and know it is complete and up-to-date.

4\. Arbitrator, who resolves disputes and deletes or corrects inaccurate
information from reports.

And presumably you'd want some sort of additional safety mechanism to prevent
dissemination of the unencrypted result? Like, if you gave an organization an
unlock code, maybe it's possible to arrange things such that that
organization's private key is able to create legit-looking data, so nobody
else could trust third-party sharing of credit report data?

------
mandazi
>At issue is once again an Amazon Web Services S3 cloud storage bucket that
was misconfigured and inadvertently left open to the public internet, where
anyone with a connection online could have found it.

I use S3 and I have noticed that by default it's locked down and secure and in
order for it to be open you have to open it for the public. Maybe AWS could
improve the way it can secure the S3 buckets by making it easier to whitelist
access by IPs or some variant to this. Although I personally find it fairly
straight forward to use in the projects I work on but it appears it may be
difficult and my developers just open it up to the public so their apps can
easily access it.

~~~
mcheshier
My biggest problem with S3 is the old multi-layered security model with bucket
policies and ACLs. They need to update it to just use IAM like everything
else.

~~~
kgilpin
IAM is also super hard to configure.

I would like to see more sense of responsibility from AWS for these leaks
rather than blaming the users.

It’s bad usability.

~~~
manigandham
That's ridiculous. AWS provides infrastructure and tools, it's up to
developers and companies to properly deploy them and implement the appropriate
security.

------
aptsurdist
Class action lawsuit?

How is it okay that this information is even available from Experian in the
first place?

I don't think anyone opted in to this. And I don't think there is any obvious
way to opt out.

And Experian is not just some data tracking company watching your behavior on
a website; they're supposed to be protecting our credit system. Do they obtain
some of this information through special privileges because they're a pseudo-
official credit score agency? If so, is this grounds for a class action
lawsuit?

(As others have argued, this data is legally available through Experian, it
just normally isn't free.
[https://www.experian.com/assets/dataselect/brochures/consume...](https://www.experian.com/assets/dataselect/brochures/consumerview.pdf))

~~~
FeteCommuniste
And they even have us all classified into consumer categories (and sub-
categories!) with snappy little names:
[https://www.experian.com/assets/marketing-
services/brochures...](https://www.experian.com/assets/marketing-
services/brochures/mosaic-brochure.pdf)

"Blue Sky Boomers," "Significant Singles," "Pastoral Pride" (subgroups: "True
Grit Americans," "Countrified Pragmatics," "Rural Southern Bliss," "Touch of
Tradition").

------
wkirby
Apparently I take better care of user information on a hobby project running
on localhost that will never see a remote server than these giant companies do
with real life data.

------
maxxxxx
The data is just way too spread between too many companies. Someone will screw
up somewhen for sure. Not sure how to solve this. Make it illegal to store
data and instead only allow access with permission for specific purposes?

~~~
nothrabannosir
Let companies share and do whatever they want but put huge fines on data
breaches. Make it a felony to hide, fail to report or otherwise lie about data
breaches. Money if you fuck up, prison if you lie about it.

that should align some incentives and get you a good way along. It will
incentivise proper security measures, and help quench the thirst for data in
the first place.

~~~
maxxxxx
If no one went to jail for what Wells Fargo did with opening unauthorized
accounts I don't have much hope that there will be meaningful fines for data
breaches.

------
21
My reading of this is that anyone who "just want's to see the world burn"
needs to pay $40k to Experian and then post this data on the web.

~~~
infinite8s
I think the data probably comes with a license that you can't redistribute it.

------
beedogs
Maybe companies like this just shouldn't be allowed to store data on people
anymore. It's becoming clear that none of them know how to keep it from being
stolen. I reckon most people don't even know they're affected by this.

------
xor1
I really want to see the information relevant to me, assuming I'm in the leak.
Just to see how accurate it is.

------
Dowwie
Does anyone know what happened to MIT's Enigma project?

This is their white paper:
[http://web.media.mit.edu/~guyzys/data/ZNP15.pdf](http://web.media.mit.edu/~guyzys/data/ZNP15.pdf)

~~~
bpicolo
[https://enigma.co/](https://enigma.co/)

------
perseusprime11
Does it still make sense to shred our personal documents with our names and
addresses? Given so many leaks, it may be more easy to get our information
online than going through our garbage.

~~~
AnimalMuppet
If I don't shred it, I usually dump it into a particular trash can. The bag
from that trash can is the one I usually use for cleaning out the cat litter.
If someone wants to steal it from my trash can, it may be possible, but
they're going to _earn_ it.

------
glitcher
How is it that addresses and phone numbers are not considered personal
identifying information???

Forgetting for a moment the fact that with even a few data points on someone
it is getting easier and easier to cross reference other data sources and de-
anonymize almost anything - but address and phone numbers are so directly and
easily tied to real people this seems like a massive oversight in current
regulations on "personal identifying information".

------
akane
On a related note, here's an open-source project I created that you can use to
check your own S3 buckets:
[https://github.com/ankane/s3tk](https://github.com/ankane/s3tk)

------
ChuckMcM
Sigh, Amazon S3 bucket scavenging is today's version of 'war dialing'

------
TheYcMaster
I imagine this scenario now in EU, where the Smart Meter Gateway will enter
millions of households, tracking the electricity consumption.

Where goes this data? Who will use this information?

~~~
dsfyu404ed
Somewhere there is a law enforcement organization that's drooling over the
thought of automatically generating a list of suspected grow-ops by cross
referencing power usage with marketing demographic information and
automatically applying for a search warrant.

They'll probably stop doing it after they kick down the door of a day-care in
a rich neighborhood and only find hot glue guns and those beads you fuse with
an iron.

~~~
jacquesm
That's why savvy grow-ops bypass the meter.

------
Shivetya
I would not mind regulation requiring such assemblers have to purchase
insurance which provides payouts to those who are damaged by such leaks.

------
mrb
The headline might as well say "ALL households exposed". The number of
households in the US is 126M.

------
JepZ
Like a bank with an open safe in front of the bank holding all its customers
treasures and files.

------
Pokepokalypse
If everyone is exposed, no one is.

¯\\_(ツ)_/¯

------
zouhair
Another day, another leak, another mass shooting. This is starting to be daily
occurrence in the US.

------
microcolonel
Glad all of this stuff is happening before I move to the U.S.

------
yakt
So what is the right order

LEAK-DISCUSS-FORGET-SUFFER-REPEAT?

------
hashkb
> He found the data was sitting in an Amazon Web Services storage "bucket,"
> left open to anyone with an account,

This is hard to believe. S3 bucket names are unique. I can't make a bucket
named `bucket`; I'd have to call it `dashkb-bucket` or something (a common
convention is to prefix with your company's domain)... anyway...

The point is: for the bucket to be named `bucket` Alteryx must have had one of
the very first AWS accounts, and from there isn't it reasonable to assume this
bucket has been exposed for many years?

~~~
egypturnash
This sentence is not saying that "bucket" is the name of the bucket.

It is saying that the data was in a thing that Amazon Web Services provides,
which AWS calls a "bucket".

Most people who are not web developers don’t even know Amazon Web Services is
a thing, much less the cute names of any of their services.

