Puddinhead explained this much better than I had. I had said (paraphrased):
(Alteryx) had an employee of theirs temporarily leave data exposed in error,… marketing data (that presumably people can rent or buy anyway)… This is not like finding evidence that bad guys got inside your systems and stole data. That’s a data breach!
Puddinhead responded to someone saying that Alteryx had had a security breach to its platform as follows:
Not accurate! They bought a database of info from Expieron and some dumba$$ left it on an unsecured AWS server (like in a “drop box”). Not at all on their platform. If your 16 year old left your car keys on the roof of your car, you can hardly say the car’s security system was insuffcient.
What’s the difference? There’s all the difference in the world between:
on the one hand, finding that, because of a weakness, your platform was hacked and that you had a security break-in where bad guys are known to have broken in and stolen valuable data, and
on the other hand, having a distracted employee leaving some marketing data out in the open. At the present time, we don’t even know if anyone, besides the researcher who found it, stumbled on the data.
The first situation says that there’s a weakness in your platform (big problem), and that some crucial data was intentionally stolen.
The second situation says there’s no weakness, and nothing wrong with your platform. It’s just that some “dumba$$” (as Puddinhead so nicely put it) left some purchased advertising data out in the open and unsecured.
Thanks for sharing your thinking on this Saul, Puddinhead and others.
Lesson for the kids here is investors have to know our own sensitivities, psychology and level of expertise. I have a quick trigger finger, a temper and am prone to wildly overrating risk. It has crushed my potential earnings, selling out of winners (Amazon, Netflix, Tesla to name a few)way too early in the last decade.
I came back to individual investing with a commitment to using these boards. It is the whole point and the very heart of the Motley Fool - helping each other invest better. It gives you perspective, additional expertise, balance, a chance to check your natural weaknesses and flaws. My first response to seeing AYX down in combination with that article was to scream bloody murder and sell. I came an inch away. But I wanted to see how the bigger boys handle this.
I’m now holding tight because the story of the stock is unchanged, the case is still strong, the damage is likely to be minimal and the TAM remains massive.
Thank you Saul et al!
Also, can we levy a $5.00 fine to anyone who misspells the company’s name again? It’s not Asteryx, not Alterex, not Yukkel’s Latke Hut. It’s Alteryx (AYX).
Fool On and Happy Holidays to this very great board and blessed bastion of human decency.
Well, that’s all well and fine, but perceptions matter. This “breach” or whatever you want to call it gpt covered by Huffpost and other general audience publications. AYX (bouncing back today) took an immediate hit, lost about an 1/8 of it’s value.
Good time to buy? Maybe. None of us really know what happened or how serious it might be. Alteryx management downplayed the event. No PII was exposed. Dumb employee screwed up. Not too worry. Is that the whole story? I don’t know. I’ll give it a definite maybe. Might just be lipstick on a pig.
I reviewed their tools. They’re very good, they have an excellent product. That may not matter.
There’s other fish in the sea. If Alteryx continues to grow and this blows over without material damage it won’t be too late to buy back in later. The pending litigation may be groundless ambulance chasers or it may be substantive.
At the present time, we don’t even know if anyone, besides the researcher who found it, stumbled on the data.
My understanding is AWS found unusual activity (that is storage read requests that are very high) and that is how the company discovered. AWS monitoring picked up the unusual activity, because a very large number of folks were accessing or large amount of data being accessed and downloading, otherwise it would not blip in AWS radar.
It helps Saul, but only to an extent. The platform is part of the business. Another part of the business is retaining credibility by the most careful selection of employees. They failed in this and chose one who was a “dumba$$”. Clearly, the business should be hauled over the coals for omitting to realize the employee was a dumba$$ and it should take the utmost care to avoid employing dumba$$e$ in future. My point is that your description of the dumba$$ as ‘just’ a dumba$$’ is not quite good enough; after all it was not a ham sandwich he left on top of a car.
Talking of which, as it’s Christmas (or where I live we call it Christmas and of the various people of other creeds I know, not one objects to it being called Christmas and all are surprised at the embarrassing cringing and euphemizing of the west in contrition for calling it Christmas etc.) here is a riddle that came out of my cracker at Christmas lunch last year:
Another part of the business is retaining credibility by the most careful selection of employees. They failed in this and chose one who was a “dumba$$”. Clearly, the business should be hauled over the coals for omitting to realize the employee was a dumba$$ and it should take the utmost care to avoid employing dumba$$e$ in future.
streina, Come on now! Be real! Do you think Amazon doesn’t have any dumb employees who could make dumb mistakes? or Tesla? or Nvidia? or Apple? or… pick your favorite company? Do you really think Clearly, the business should be hauled over the coals for omitting to realize the employee was a dumba$$…? Wow, there wouldn’t be enough coals in the universe if every company who hired dumba$$s was raked over the coals !!!
I think each of their customers will think “That could have happened to me!” It’s a big prediction but I don’t think that there will be any business consequences AT ALL. Google, Apple, Facebook, Tesla… Think of all the flubs they’ve made recently. Did their customers go away?
I think the world is beginning to rein in the generous tolerance accorded to data breaches (and other woeful failures). The question is not really the one you raise Saul (does not every company have its feckless, irresponsible employees?) but how to punish those failures to eliminate them which are later revealed by serious breaches. Consequences matter.
It is useless if the world says ‘Oh well, could’ve happened to anybody, we’re sure you’ll get it right next time, move along folks, nothing to see here’.
Companies in this space need to know exactly how harshly they will be treated if they get it wrong. It’s all about incentives. The thought of prison concentrates the minds of the board wonderfully on personnel and budgets.
Wow, there wouldn’t be enough coals in the universe if every company who hired dumba$$s was raked over the coals !!!
Companies dealing with sensitive data need to have procedures in place that prevent an individual employee from making these kind of mistakes. It’s dumb of the company to put such sensitive data in the hands of any one employee without enforced controls, whether that employee is dumb or smart. And remember, the company did’t discover this. A small company, Upguard, did.
Whether or not the Amazon logs show that anyone accessed the data or not, Alteryx obviously did not have have proper procedures in place. The dumba$$s was not so much the person that left the data in the open, but the higher up security officers/team that did not have the right procedures in place to prevent it, much less detect it.
"It is useless if the world says ‘Oh well, could’ve happened to anybody, we’re sure you’ll get it right next time, move along folks, nothing to see here’.
Companies in this space need to know exactly how harshly they will be treated if they get it wrong. It’s all about incentives. The thought of prison concentrates the minds of the board wonderfully on personnel and budgets."
Perhaps the government is not too hard on data breaches is because it has and can happen to them. To my knowledge no one was even fired for this one (which included my data). Next time a government official calls for someone’s head remember this. The US Government’s response was to cover those affected with ID coverage for 1 year.
Whether or not the Amazon logs show that anyone accessed the data or not, Alteryx obviously did not have have proper procedures in place. The dumba$$s was not so much the person that left the data in the open, but the higher up security officers/team that did not have the right procedures in place to prevent it, much less detect it.
Smorgasbord1, maybe Alteryx needs to get in touch with Varonis.