Alteryx Company: Vulnerability and Legal Issues

1.1.0 Alteryx, 2017

Alteryx is a California-based marketing firm that operates through the use of data science and analytics. It is headquartered in Irvine, CA, and operates globally. Alteryx’s company’s size is estimated around 670 employees. Its specialty involves combining data analysts and scientists to break down data barriers and provide insights into the data world (Alteryx, n.d.). The company operates by selling access to its own marketing product, “Alteryx Designer with Data,” which incorporates the Experian and other data from the U.S. Census Bureau (Hackett, 2017).

1.1.1 Vulnerability and risk/loss value

This is an unintended disclosure that contained sensitive information with massive amounts of data that was mistakenly posted publicly. A researcher from a cybersecurity firm UpGuard stumbled across and discovered Alteryx’s database. This data leak estimated there were more than 120 million American households exposed (Thakkar, 2017). However, the announcement to the public was made a day later, but the firm was not sure how long the data had been left open. The unsecured personal information was being stored in an Alteryx’s file bucket, which was located on Amazon Web Services S3 cloud storage subdomain. This subdomain was intended to only allow authenticated users access to the stored data, but in this case, it was left unsecured. Basically, any user who had an AWS account could have access to this information. Despite the disclosure, the file contained no names, but it did include their home address, phone numbers, income and a host of other details, which was not password protected (Thakkar, 2017). After reading statements from Alteryx, it seemed that they tried to down play the extent of the data breach. However, the company did mention it was not hacked and that the file exposed does not pose a risk for identify theft to any consumers. Any time personal data is to be secured but is not could be useful for an attacker. Despite how Alteryx wanted to down play this, their stock lost “6%” of its value the day the breach was made public (Woodie, 2018). However, they have since made up the loss value. Alteryx did take steps after being informed about the issue. In a blog post statement made by the CEO, Stuecker announced that they quickly removed the file from AWS, and also added a layer of additional security to the AWS bucket where the file was stored (Woodie, 2018). What I don’t understand is why the information was on a publicly accessible server with no security in the first place? Alteryx definitely dropped the ball. Since the incident Alteryx took action by ensuring this does not happen again by maintaining a similar level of enhanced security for any dataset that they offer going forward (Woodie, 2018).

1.1.2 Concerns and legal issues

One main concern is the fact that personal information was publicly accessible and the file wasn’t password protected. Another main issue is the limit of access controls. It’s a good thing the file wasn’t discovered by a cyber-criminal. There was clearly a lack of security procedures or protocols in place for such a high degree of vulnerable data to go unnoticed like it did. Alteryx is legally responsible for not protecting such information even though they continued to the company wasn’t hacked. As a result, Alteryx was slammed with two class-action lawsuits. Alteryx placed PII on the web, which they failed to protect. It is unknown of the damages, but the lawsuits seek punitive damages and statutory damages (Schultz, 2017).

1.1.3 Regulatory Guidelines

In this case, Alteryx violated the Information Privacy Act. Under California laws, companies are required to uphold the privacy of personal information. However, the company failed to guard and protect the privacy of information as it was required to do so.  With such, the Federal Trade Commission details guidelines on how to safeguard personal information, which is recommended in Section 3 of Protecting Personal Information: A Guide for Business (Federal Trade Commission, 2016). When companies violate or fail to protect PII, such companies could be subject to be fined by the state.

1.1.4 Recommendation

Alteryx did accept full responsibility for the disclosure. However though, to ensure that personal information is safeguarded they should develop security programs to include both privacy and data protection. These programs could include proper encryption and password protection credentials when information is being stored on public servers. They should invest in quarterly audits and monitoring on a regular basis. Also, the NIST SP 800-122 could be useful as a guideline to protecting the confidentiality of PII, along with having access controls put in place to safeguard against unauthorized users.

1.2.0 Deep Root Analytics, 2017

Deep Root Analytics is a small private marketing and advertising company that specialize in media analytics to help gather data and provide insight to its customers. The company is headquartered out of Virginia, and founded in 2013. It has a company size of less than 50 employees (Deep Root Analytics, n.d.).  Deep Root Analytics was responsible for gathering and housing the political information for U.S. voters form the 2016 presidential election.

1.2.1 Vulnerability and risk/loss value

UpGuard (cyber firm) discovered a massive amount of data stored on a publicly accessible server owned by Deep Root Analytics that was not password protected. This was an unintended disclosure of the voter’s personal information. The company accidentally leaked all of the information of roughly 198 million registered voters in the U.S. (O’Sullivan, 2018). The data was stored on the Amazon cloud server and accessible for almost 2 weeks. It could have ended up in the hands of criminals, but gratefully a cyber-researcher found it. The data included names, addresses, birth dates and phone numbers of voters from both political parties (Naylor, 2017). The company contends it was not hacked despite the amount of time the data was publicly accessible. However, after the breach was brought to their attention they did take protective steps to ensuring this incident won’t happen in the future. In response to an interview by NPR they “updated the access settings and put protocols in place to prevent further access” (Naylor, 2017). Despite the steps made it is still unclear why this happened when handling information without any means of security in place. The situation exposed millions of Americans and put them in danger of becoming a victim of identity theft.

1.2.2 Concerns and legal issues

This is a major issue with PII being publicly accessible and not password protected. Since the cyber-analyst found the file it allowed the company opportunity to check for malicious activity. However, Deep Root was very negligent for not protecting the personal information as it is required. This definitely showed a lack of security procedures for something of this caliber to go unnoticed. As a result of the company’s negligence, they faced a class-action lawsuit. Deep Root failed to secure and safeguard the public’s PII. With such exposure of this magnitude the damages claimed were in excess of 5 million and likely face many more damaging lawsuits (Bertrand, 2017).

1.2.3 Regulatory Guidelines

Under Virginia law, the company is in violation of the Personal Information Privacy Act. When the company took responsibility for housing the information they were required to protect it. Yet they failed to do so like many other businesses out there. Additionally, in Section 3 of Protecting Personal Information: A Guide for Business (2016), the Federal Trade Commission details guidelines on how to safeguard personal information. The FTC recommends businesses follow this to help safeguard and protect confidential data (Federal Trade Commission, 2016). With such exposure this raises significant questions regarding the privacy and security of one’s personal data.

1.2.4 Preventative measures/Recommendations

Deep Root Analytics did accept full responsibility for the disclosure. However, there still needs to be changes made to ensure that any private information is being safeguarded. Some changes could include ensuring private PII is properly encrypted if is on a private server, and if stored on public servers that it is password protected. Also, proper training should be a security procedure in place that include steps to protecting and storing data securely on all levels. Another step further would be to implement proper audit procedures that will be ongoing. Not to mention, the NIST SP 800-122 is always useful to be a guideline for protecting personal information. Once the information is secured, the company could put in place access controls to ensure only authorized users who need to access the information is allowed.

1.3.0 Chipotle, 2017

Chipotle is a Mexican grill chain that was founded in 1993. It is a public company whose headquarters is in Denver, CO. The company operates over 2000 locations consisting in 48 states worldwide. It has an employee base of approximately 10,001 plus. Chipotle specialties include burritos, bowls, tacos and salads. The idea behind the restaurant is to provide exceptional customer experience while giving its customers the quality and service of being served fast, but not actually like a real “fast food” place (Chipotle, n.d.).

1.3.1 Vulnerability and risk/loss value

Chipotle announced to the public that the company noticed some unauthorized activity detected on its network. The company is unclear how the malware got there, but the breach was within the payment card processing from its restaurants. Its operating system seemed to be vulnerable because Chipotle was being very vague on the details of what had actually happened. The company did however pinpoint when the incident occurred. For several weeks, hackers were able to go undetected and had unlimited access to steal payment data from the restaurants. The data included account numbers and internal verification codes, which could potentially be used to access customers debit and credit card accounts or even be able to make duplicate copies of the cards (Marketplace, 2017). Initially, when the company first announced knowledge of the breach, they kind of brushed it off as if nothing really happened. However, after during a full investigation, it seems malware was introduced to the system payment card data in order to access information from the magnetic stripe whenever customers used their cards on the point-of-sale (POS) systems. There is definitely a potential risk for customers because the majority of people today don’t carry cash, therefore utilizing some sort of card to pay for charges. However, they were able to get the malware removed from their systems. The company was only able to provide notification of the breach in a statement posted on its website. Chipotle claimed they didn’t have any of the customer’s information to contact them so hopefully, by chance they see the statement. If by chance you saw the notification, it provided the restaurants locations and times the hack supposedly happened (Kollmeyer, 2017). The company did not seem to take full responsibility for their actions. They basically left it up to the customers to discover if any suspicious activity was found and to report it to the customer’s card company. They enlisted the help of cybersecurity firms to increase its security, but offered not assistance to the customers.

1.3.2 Concerns and legal issues

My major concern is how the attackers were able to place malware on the systems and it went undetected for several weeks. This is clearly the result of inadequate data security measures. With this being a malware attack, the company’s systems had no sort of software that monitored and alerted suspicious activity. My concern is the notifications will not get to all the customers who might have been affected. The company wasn’t able to provide the number of accounts compromised so this is truly a major concern. The breach constitutes Chipotle being out of compliance with the payment card industry (PCI) data security standards (DSS). As a result, the company would likely be fined because they fell to protect and secure the privacy of the card data of its customers. This cause me to believe that the company was aware of the risks associated with its payment processing systems and yet failed to make sure they were secure. Being said, Chipotle is now facing class action lawsuits from customers as well as the card companies. It is unclear what damages were awarded, if any.

1.3.3 Regulatory Guidelines

Any organizations involved with payment card processing must comply with the payment card industry data security standard (PCI DSS). The standard provides both a technical and operational requirement that is designed to protect account data (Chapple, Ballard, Ballard, & Banks, 2014). For Chipotle, they should follow the guidelines in order to help provide consistent data security controls for secure payment environments. It seemed like the company was not that familiar with the compliance procedures for PCI DSS. Therefore, they need to ensure their team of security experts are up-to-date on all policies and procedures associated with the industry. Not all situations will be the same, but the POS software should always be compliant with the industry’s best practices.

1.3.4 Preventative measures/Recommendations

Chipotle should consider implementing additional layers of security to help identify and eliminate the vulnerabilities and reduce the risks associated with them. The main focus should be to ensure and maintain adequate data security measures. Incorporating the use of a two-factor authentication will help with the approach to data security. Another should be to upgrade their security systems to include vulnerability scanning, penetration testing and firewalls. Last but not least, the company should consider using end to end encryption to protect payment data.1.4.0 Plastic Surgery Associates, 2017 (HACK) Plastic Surgery Associates of South Dakota is a company known for cosmetic and reconstructive surgical procedures. It is headquartered in Sioux Falls, South Dakota. The company has approximately 11 to 50 employees. The company operates in the industry of aesthetics while specializing in the entire field of plastic surgery that services all of South Dakota and the bordering states (Plastic Surgery Associates, n.d.).

1.4.0 Vulnerability and risk/loss value

According to the company, they discovered that some of their systems had been infected with malware. It’s unclear how exactly the malware got into the company’s system. However, they immediately reached out to experts to look into the matter and report back on the overall nature of the data that was breached. After the investigation, it was confirmed that approximately 10, 200 clients’ data had fallen prey to the attacker due to not adequately protecting the information as stipulated by the company bylaws (Pierret, 2017). The company wasted no time getting the ransomware removed and decrypting the affected systems. The impact of the attack caused the company to carry out an in-depth audit of its information systems to determine if other areas were deemed vulnerable. The audit performed allowed them to gain a better understanding of the attacker’s impact. Plastic Surgery of SD experienced losses due to patients not wanting to have their data exposed by the company reaching out to credit reporting agencies. The company lost dozens of their core customers mainly due to fear of this incident repeating itself. They suffered a significant loss due to the patient’s data not being able to be recovered. The attacker encrypted a portion of the company’s computer system making it inaccessible and much harder to perform normal work activities (Pierret, 2017).

1.4.1 Concerns and legal issues

In regards to the attack, the company violated the security rule, which they failed to establish safeguards. One issue was the lack of strong security protocols. Without protocols there really wasn’t anything hindering the attacker attempts from proceeding with the attack on the system. This attack also allowed me to believe that the weak security protocols were in place hadn’t been updated for a long time. The reason being is since the company never been breached there was no reason to update the protocols since they seem to have been working. Another issue with this attack led me to believe that they had no security personnel monitoring the system or that audit checks were never being performed. An attack of this nature is a true indication that the company’s system lacked the software needed to monitor and track phishing attempts. Most ransomware attacks arise from trial and error phishing campaigns that focus on the weak security systems.

1.4.2 Regulatory Guidelines

Procedures should be implemented to perhaps guard and detect the company’s systems against malicious software. While implementing procedures, it should include an analysis of the risks that helps identify threats and subsequently any vulnerabilities associated with the system that will affect the company’s electronic protected health information (ePHI). According to Carlson & Mandel (2017), any company that deals with ePHI must follow the required guidelines established by HIPAA. HIPAA require that companies implement access controls that close out malicious personnel from gaining access into the ePHI. The access control will only allow specific persons who are authorized to access the system (Carlson & Mandel, 2017). Also, in this defense, it’s directed that the company follow guidelines that include incorporating backups to the company systems that will run systematically at all times. This direct guideline emphasizes the need for a business continuity plan in the event of a malware attack (Fetzer & West, 2008).

1.4.3 Preventative measures/Recommendations

The company should consider having a security strategy that protects the key assets with the use of a multi-layered defense approach. This defensive approach makes focusing on vulnerabilities and risks much easier when protecting data. There is no silver bullet or way to ensure 100 percent of adequate data protection. Therefore, the company should seek resilience as opposed to absolute prevention (Mathaisel, Reffer, & Gruman, 2014). This strategy would help the company be better equipped with the right tools and procedures to stop an emerging threat before an attack occurs.

1.5.0 Oracle, 2016

Oracle is a global corporation in the information technology and business spectrum. The company was founded in 1977 and its headquarters is in Redwood Shores, California. Oracle specializes in developing database software and technology, cloud systems and applications. The company size is estimated to be over 10,001 plus employees (Oracle, n.d.). Primarily, the company’s growth seems to be due to joining forces with companies (software) and installing their product within the company’s network.

1.5.1 Vulnerability and risk/loss value

Oracle’s Micros support portal had been compromised with some unknown malware and malicious code. The company’s security team was able to detect the malware, but they were unsure what exact vulnerabilities existed that allowed the hackers to be able to exploit. The company cannot say how long the attack had been going on, but they were able to confirm that a breach had indeed occurred. In this situation, Oracle’s security team began investigating the breach to gather as much information as possible because they weren’t sure what all had been compromised. During their investigation, they also checked the Corporate network, cloud service, and payment card data systems, and confirmed they did not get compromised. However, Oracle was not able to remove the malware in time, which caused them to lose all of its data (Kerbs, 2016).

1.5.2 Concerns and legal issues

The compromise seems to have targeted the weak security patches and software. The vulnerabilities allowed attackers to intrude the support portal and install malware undetected. The company failed to take a closer look at its software and/or patches in the entire network to notice that there was a gap in security. Their lack of protocols prevented them from being able to detect zero day attacks and/or phishing scams. The attack allowed access to the system where they were able to steal critical data for an unknown period of time. After Oracle realized what the attackers were targeting, they notified the customers to explain what happened with their accounts on the Micros portal. Therefore, the company forced a password reset to all accounts on the portal, and recommended to the customers they change their passwords as well. Also, Oracle implemented additional security measures for its systems to prevent any recurrence (Kerbs, 2016).

1.5.3 Regulatory Guidelines

With Oracle’s Micros systems being used in a variety of industries around the world, the company is required to ensure that their policies and procedures are in compliant with common laws such as, PCI DSS, HIPAA, SOX, FTC, and the new EU-GDPR (European Union-General Data Protection Regulation), also along with a host of state laws. Additionally, Oracle should adhere with the ISO/IEC 27001:2013 standard, which governs all areas of information security (Chapple, Ballard, Ballard, & Banks, 2014).

1.5.4 Preventative measures/Recommendations

With Oracle having a hand in software, databases and applications, it’s easy to think they have everything under control and still fall short with their own security practices. No company is 100 percent safe. Therefore, Oracle must implement security controls that are designed to change as the threats continue to emerge. To safeguard their data, the company will need to devote substantial resources to in-depth procedures that offers an advancement of security.  Based on the outcome of this breach, Oracle should think about implementing an advance patching strategy, penetration testing, intensive database monitoring, auditing and reporting, multifactor access controls, data encryption and blocking solutions that are designed to protect and secure its data.

References

• Alteryx. (n.d.). LinkedIn. Retrieved September 22, 2018, from Alteryx: https://www.linkedin.com/company/alteryx
• Bertrand, N. (2017, June 22). GOP data firm tht exposed millions of Americans' personal information is facing its first class-action lawsuit. Retrieved from Business Insider: https://www.businessinsider.com/deep-root-analytics-sued-after-data-breach-2017-6
• Carlson, S. F., & Mandel, J. R. (2017). Commentary on “Electronic Communication of Protected Health Information: Privacy, Security, and HIPAA Compliance". The Journal of Hand Surgery, 417-419.
• Chapple, M., Ballard, B., Ballard, T., & Banks, E. (2014). Access Control, Authentication, and Public Key Infrastructure. Burlington: Jones & Bartlett Learning, LLC.
• Chipotle. (n.d.). Chipotle. Retrieved September 21, 2018, from LinkedIn: https://www.linkedin.com/company/chipotle-mexican-grill
• DeepRootAnalytics. (n.d.). Deep Root Analytics. Retrieved September 21, 2018, from LinkedIn: https://www.linkedin.com/company/deep-root-analytics
• Federal Trade Commission . (2016, Orctober). Retrieved from Protecting Personal Information: A Guide for Business: https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business
• Fetzer, D. T., & West, O. C. (2008). The HIPAA Privacy Rule and Protected Health Information. Academic Radiology, 390-395.
• Hackett, R. (2017, December 22). Data Breach Exposes 123 Million U.S. Households. Retrieved from Fortune: http://fortune.com/2017/12/22/experian-data-breach-alteryx-amazon-equifax/
• Kerbs, B. (2016, August 13). Visa Alert and Update on the Oracle Breach. Retrieved from Krebs on Security: https://krebsonsecurity.com/2016/08/visa-alert-and-update-on-the-oracle-breach/
• Kollmeyer, B. (2017, May 30). Chipotle’s data breach: How to tell if you may have been a victim. Retrieved from MarketWatch: https://www.marketwatch.com/story/chipotles-data-breach-how-to-tell-if-you-may-have-been-a-victim-2017-05-27
• Marketplace. (2017, May 29). Chipotle's data breach affects customers nationwide. Retrieved from MarketPlace: https://www.marketplace.org/2017/05/29/business/chipotle-security-breach
• Mathaisel, B., Retter, T., & Gruman, G. (2014). How to rethink security for the new world of IT.  InfoWorld.
• Naylor, B. (2017, June 19). Firm Contracted By Republican Groups Left Millions Of Voter Files Unsecured Online. Retrieved from npr: https://www.npr.org/2017/06/19/533551243/firm-contracted-by-rnc-left-millions-of-voter-files-unsecured-online
• Oracle. (n.d.). Oracle. Retrieved September 21, 2018, from LinkedIn: https://www.linkedin.com/company/oracle
• O'Sullivan, D. (2018, May 1). The RNC Files: Inside the Largest US Voter Data Leak. Retrieved from UpGuard: https://www.upguard.com/breaches/the-rnc-files
• Pierret, J. (2017, July 28). Plastic Surgery Associates of South Dakota notifies 10,200 after ransomware attack. Retrieved from DataBreaches.net: https://www.databreaches.net/plastic-surgery-associates-of-south-dakota-notifies-10200-after-ransomware-attack/
• PlasticSurgery. (n.d.). Plastic Surgery Associates of South Dakota. Retrieved September 21, 2018, from LinkedIn: https://www.linked.com/company/plastic-surgery-associates-of-south-dakota/
• Schultz, R. (2017, December 22). Alteryx Slammed With Two Data Breach Suits. Retrieved from MediaPost: https://mediapost.com/publications/article/312126/alteryx-slammed-with-two-data-breach-
• Thakkar, J. (2017, December 20). Alteryx Data leak: Everything You Need to Know. Retrieved from hashedout by The SSL Store: https://www.thesslstore.com/blog/alteryx-data-leak/
• Woodie, A. (2018, January 5). Alteryx Takes Action Following Big Data Breach. Retrieved from Datanami: https://www.datanami.com/2018/01/05/alteryx-takes-action-following-big-data-breach/