"Yesterday, Alteryx shares traded down quite a bit. You may be aware that the company was said to be the focus of a major breach. Needless to say, fake news is not confined to (politics). In this case, a security consultant, hardly a disinterested party, pointed out a potential flaw in access to 3rd party data that AYX resells.
The critical things to note are that AYX has been reselling this data. It is commercially available and has been so for years. Also, the data has been de-identified. Usually breaches have to do with identiy theft… This trove doesn’t have either names, credit card numbers or social security numbers.
Alteryx has been sloppy obviously, but it hasn’t been involved in a real breach the way most people think about it. I imagine the shares will ultimately shrug this off, as it is meaningless in terms of operational performance."
Bert said it even better than I had said it. It sounds like less and less of a big deal as we go on.
This trove doesn’t have either names, credit card numbers or social security numbers
Sure… you believe that. But history has shown time and time again the dishonesty of many companies who downplay and deceive when it comes to explaining the full nature of their platform security.
Sure… you can point fingers at and disparage an employee… even if that is true… it often points to a culture of laziness and disregard for security. After all… money poured into network hardening takes income from the bottom line and realizes no immediate financial return.
I view this cautiously until we know more about the extent and frequency of such lapses.
“As I said, sloppy but not an issue with data security. It is 3rd party data and it should have been protected, but you or I or anyone else could and can buy it. It is also not very useful data from the perspective of stealing someone’s identiy. Knowing that an individual likes cats doesn’t identify them although it does help in data analytics where people do complex queries regarding correlations as part of their job. I have no idea how someone could use this data to steal anyone’s identiy which is, perhaps, why it was not properly encrypted.”
I figure he understands this stuff a lot better than I do and I’m glad for his confirming opinion. I’m also glad that some people are still worked up over this tempest in a teapot, and that it’s getting a lot of press for a day or two, as it gives me a chance to add to my already large position.
Saul I agree. It has been pointed out in various articles written about this mishap that nefarious types can piece all this data together and end up with a name, and I suppose that must be true since so many are saying it is true. But my question to them would be, how hard is that to do. Saying it can be done is different than saying it is easy and not time consuming etc. As you have said this information is for sale, so my thinking is if some evil bad guys have the computing power and expertise to examine this data and come up with your name and other identifying info, why wouldn’t they just buy the data and set to work stealing your identity. My wife and my social security numbers were stolen a few years ago, false tax returns were filed in our names. Much to my surprise when I contacted LifeLock they told me they didn’t get involved with tax identity theft and I would have to call the IRS. When I did contact the IRS the nice lady there told me, “Your return looked so different from years past that we put a hold on your return until we could contact you, so thanks for calling and clearing that up, the bad guys will not be getting any money”. The state sent the huge refund the bad guys had filed for, to our home, and we returned it to the state. So the thieves didn’t seem to be very bright. As a tip for others the reason our return looked suspicious to the IRS is that my wife and I usually try to owe money at the end of the year. Just a small amount every year. This return showed a refund of 6K. The IRS lady said if they had shown a grand maybe they would have sent the money out but 6K just seemed too much compared to 30 years of us owing money at the end of the year. She said a good tip for everyone is to owe money every year because then a false return asking for a big refund will set off alarms at the IRS. Our credit is locked down at the agencies so we suffered no damage from the loss of our social security numbers, but I keep a close watch as I suppose those numbers are floating around on the black web somewhere.
Mike
As I see it, Alteryx tools could be employed to join different data sources and develop the linkage between the “anonymous” data Alteryx claims to have been exposed with sources that do expose PII (like publicly available voter registration information). I’m very sanguine about this.
Is there a link to where Bert has written about this situation?
Personal email. Here’s the last of his comments:
"You know, given how the information was developed, and given my suspicious mind, it may be that the whole thing was designed to make people sell their shares. Sadly, that kind of thing happens in the world. Sadly, there are instiutions who barely know what they own.
What I tell folks is try to understand what you do with this product and why people want to buy it. You invent an electric car-everyone understands that. You invent a way that you can analyze data without coding-what’s that? Well, it is a big deal in the modern workplace so everyone loves it and wants to buy it. Just consider what it is replacing-because I can assure you that there are no self-service data analytic platforms that really work well while there are plenty of electic cars."
She said a good tip for everyone is to owe money every year because then a false return asking for a big refund will set off alarms at the IRS.
That is a good tip regardless of identity theft.
Getting a refund means loaning money to the government for free.
Owe too much and you might pay a penalty.
Happy middle is to owe a small amount.
On the sanguine remark, I rushed out and bought thousands of shares. Then, when I saw the correction to “NOT sanguine,” I rushed out and sold them all at a loss of $.15 a share, plus commissions.
Alteryx has been sloppy obviously, but it hasn’t been involved in a real breach the way most people think about it.
Say what?
Someone has to take the other side of this.
I’ll volunteer because I think one of the most damaging changes we’ve allowed to occur is when,
after 9/11, we allowed the government to take all kinds of privacy rights we had and trash them.
And once that happens, of course, they never come back. Another kink in our course was slower but
just as detrimental. Over the last 15 years, our “leaders” have mandated that the rights of
corporations come first and are more important than people. We have slowly, but not so subtly, given
corporations the right to totally ignore any rights of citizens. It’s apparently become the Standard
Operating Procedure for everyone.
Put these two changes together and we have a data breach (call it what you want; it’s a breach.) I figure
by the number of people covered by the file that it is a file covering everyone in the US who has a
current credit file. So it’s “no big deal” that foreigners and who-knows-who - maybe the very folks
who were kind enough to help us choose our president? - probably now have access to complete credit
histories of every US citizen.
All that is to say nothing of the fact that this “file” cost the company $238,000 if I remember correctly.
That’s the small part, but if I were CEO I still I wouldn’t let just any ol’ janitor take the file to the copy
machine, let alone the cloud. Coupled with the idea of the people who could be hurt financially by the
action (clients? How about every family in the country?) still concerns no one but me? And then to
react like they have (“Oops, I farted”) is totally insulting.
I can be greedy but money isn’t everything. Since I can’t slap anyone at the company, the only thing I
can do in protest is to not buy shares. I realize I am in the minority and I have little doubt the company
and its share price are probably quite safe.
That’s a whole lot more than I can say for you and me. Guess it doesn’t matter; after all, we’re not
corporations.
The data that was left public was a “ConsumerView” database purchased from Experian (as well as U.S. Census data). If the general public is concerned that this was leaked, they should be much more troubled by the fact that Experian collects all this information and sells it. It is a much different situation than private information that you have entrusted to a company which is stolen/leaked.
The actual post from UpGuard https://www.upguard.com/breaches/cloud-leak-alteryx doesn’t have the same tone as the Forbes article. I feel that the Forbes author wrote a pretty slanted piece, injecting ‘Massive leak’ and ‘Misleading response’ in bold headers… it’s tabloid writing to try to spice up a bland story.
My conclusion is that it was certainly not great that Alteryx left this data open, but I don’t see major ramifications beyond increasing scrutiny on their security practices.
Let’s keep in mind, this was the “damning” response as written in the article…
After being informed by Vickery about the open data, the company took action and secured the database from public view last week. In an emailed statement, a spokesperson told Forbes:
"Alteryx secured the bucket, removed the file and has taken steps to prevent this from happening in the future. Alteryx confirmed that the file contained no names of any individuals or any other personal identifying information.
Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes. The information in the file does not pose a risk of identity theft to any consumers."
I just got an email from Norton warning me about a data leak of 120 million household, “raising the posibility of identity theft” by alteryx…this cant be good pr…
I just got an email from Norton warning me about a data leak of 120 million household, “raising the posibility of identity theft” by alteryx…this cant be good pr…
They explain a bit about how the exposed data could have been used for identity theft:
Although individual names were not included in the data, it’s possible that data thieves could cross-reference stolen information with other available public information.
For instance, someone could use a street address to search for property tax information. That property tax information often includes the name of the property owner. In this way, someone could “piece together” an individual by combining the different sources of information, which could ultimately lead to identity theft.
My take - definitely not good PR but I expect it will blow over. However I did not like AYX’s response. It seemed to brush it away too blithely and a little more mea culpa could have helped present them as a concerned, pro-active company. Hopefully lessons learned and I think it is/will be a good investment.
