U.S. Rep. Ben Ray Luján
WASHINGTON, D.C. ― U.S. Representatives Ben Ray Luján (D-NM) and Jan Schakowsky (D-IL) last week sent a letter to the computer software and data analytics company Alteryx after it was disclosed in December that the company failed to properly secure sensitive consumer data and accidentally exposed personal information affecting 123 million American households.
The data breach by Alteryx comes after a series of high profile data breaches including the disclosure of consumer data by the credit reporting agency Equifax and the ride-share company Uber.
In the letter to Alteryx, Luján and Shakowsky wrote:
“On Dec. 20, 2017, Alteryx revealed that the company had accidentally exposed nonpublic marketing data on 123 million U.S. households from the consumer reporting agency Experian. The unsecured files also included publically available data from the U.S. Census Bureau. Alteryx stored the files online using Amazon Web Services (AWS) and left them accessible to anyone with a free AWS account…
“Companies in the consumer data industry collect and sell vast quantities of personal information that, if exposed, can leave consumers vulnerable to fraud, identity theft, and other abuses. The Subcommittee on Digital Commerce and Consumer Protection has a longstanding interest in safeguarding the privacy and security of consumer information. We therefore request a briefing on this incident with our staff and Committee staff before Jan. 31, 2018.”
The lawmakers also posed a series of questions to the company including:
- How long did Alteryx leave the files exposed on AWS? When and how did Alteryx discover that the files were exposed? When did Alteryx remove the exposed files?
- What specific categories of consumer information were exposed, and what are the sources of the information?
- Does Alteryx know who or how many people accessed the exposed files while they were publically available?
- What were Alteryx’s internal data security policies at the time of this incident? Has the company conducted an investigation to determine how and why the incident occurred? What were the results of any investigation?
- Is Alteryx changing its privacy and data security policies in light of this incident?
- Is Alteryx offering or planning to offer any type of post-breach consumer protection service to consumers?”
Luján and Schakowsky noted that as massive data breaches become more frequent, companies must do more to protect their databases from intrusion. They also said consumers need a reliable way to get information about whether their personal information was compromised and the ability to take steps to protect themselves once a data breach is discovered.
“Given the frequency of these massive data breaches, it is simply unacceptable for companies and the credit agencies who sell them this sensitive personal data to treat it so casually,” Luján said. “We must give power back to consumers by requiring credit reporting agencies, and the companies to whom they sell sensitive consumer data, to properly address privacy and data concerns. They must also have procedures in place to notify consumers immediately when they become aware of security violations.”
Last year, Luján, Schakowsky and their Democratic colleagues on the Energy and Commerce Committee wrote a letter to Equifax chairman and CEO Richard Smith seeking detailed information about how their massive data breach occurred, what steps Equifax was taking to make affected consumers whole, and what the company is doing to safeguard against security breaches in the future. Last month, the two legislators also wrote to the Federal Trade Commission (FTC) expressing significant concerns regarding Uber’s privacy and security practices.