(CN) – Two federal class actions were filed Wednesday upon news of a data breach at marketing company Alteryx that exposed the private information of more than 120 million Americans.
The lawsuits in Los Angeles and Portland, Oregon, came the day after researchers from cybersecurity company UpGuard revealed they had found the massive database sitting exposed on Amazon Web Services’ cloud-based servers back in October.
Anyone with an AWS account, which is provided free, could have gained access to the information.
The server contained several categories of personal household data, including income, phone numbers, mortgages, addresses, number of children and even hobbies. The data was purchased from Experian by Alteryx for use in its marketing products.
“While many consumers will likely be troubled by the ability of private corporations to legally collect and sell this data, ranging from publicly available information to sensitive financial details, this exposure highlights a number of growing forms of cyber risk with systemic implications,” researcher Dan O’Sullivan wrote in the UpGuard report.
It was revealed in September that credit reporter Equifax had suffered a data breach in May, in which hackers gained access to the personal information of 143 million Americans.
The Oregon lawsuit, filed by Portland attorney Michael Fuller with Olson Daines on behalf of lead plaintiff Christopher Jackson, claims that Alteryx was negligent in its responsibility to secure the data and to inform the public about the breach.
“Alteryx unjustifiably failed to timely notify consumers of its data breach in the most expeditious manner possible, and only chose to acknowledge the unauthorized access after a cyber expert disclosed the breach to a news outlet, after the damage to their credit was already done,” the lawsuit states.
The California lawsuit, filed by attorney Robert Green with Green & Noblin on behalf of lead plaintiff David Kacur, claims also that Alteryx violated the Fair Credit Reporting Act.
“Alteryx failed to take the necessary precautions required to safeguard and protect plaintiff and class members’ PII [personally identifiable information] from unauthorized disclosure, as their PII was improperly handled and stored,” the complaint states.
“Therefore, on information and belief, the PII of plaintiff and class members was exposed to an unnecessarily high risk of access from identity thieves and others with no right to access the data.”
In an email statement sent to Forbes, an Alteryx spokesperson said the database leak was not that serious, and that no names were attached to the data.
“Specifically, this file held marketing data, including aggregated and de-identified information based on models and estimations provided by a third-party content provider, and was made available to our customers who purchased and used this data for analytic purposes,” the spokesperson wrote. “The information in the file does not pose a risk of identity theft to any consumers.”
Alteryx and UpGuard could not be reached for comment after business hours Wednesday.
Alteryx’s shares fell more than 6 percent Wednesday on news of the breach.
Green & Noblin has offices in Larkspur and Long Beach.