Bloomberg Law
Feb. 20, 2020, 4:05 PMUpdated: Feb. 20, 2020, 6:46 PM

Retail Customer Data Exposure Spotlights Cloud Security Risk (1)

Daniel R. Stoller
Daniel R. Stoller
Senior Legal Editor

A market analysis company accidentally exposed customer data from major retailers, including Kate Spade & Co. and Beverages & More Inc., after storing the information in an Amazon Web Services cloud container, according to a new report from cybersecurity firm UpGuard.

The 747 gigabytes of data stored by Tetrad Computer Applications Inc. also included market information about millions of American households, such as where they are located and their purchasing histories, said Chris Vickery, UpGuard’s director of cyber risk research. UpGuard discovered the data Feb. 1 and worked with Tetrad to wall it off, he said.

The exposure highlights difficulties companies face securing data in cloud storage systems because of possible misconfigurations of security settings that unintentionally allow public access to the information.

“Preventing this vulnerability is really all about customers closely following a standard checklist of security protocols whenever one’s infrastructure is exposed in the cloud,” said Bob Diachenko, a cybersecurity consultant and researcher at Security Discovery.

Tetrad said in a statement that UpGuard alerted it to a default security setting that left files related to a “limited number” of its clients and suppliers exposed.

“Upon notification, we immediately addressed the issue and secured the files,” Tetrad said. “The nature of the information contained within the files did not pose a risk for financial or identify fraud, and we have no evidence that would suggest any organization or individual other than UpGuard knew about this issue or accessed the files.”

Amazon didn’t immediately respond to requests for comment.

Ferndale, Wash.-based Tetrad uses data analytics to help businesses find new customers and choose locations for real estate, according to the company’s website. The company serves the retail, banking, and healthcare sectors, among other industries, according its website.

Tetrad said in its statement that it has notified affected parties, is investigating the issue, and has updated its “security processes and protocols.”

Businesses that leave data unsecured face possible legal risks under a patchwork of state and territorial data breach notification laws, privacy and cybersecurity attorneys said. They also face possible regulatory inquiries and consumer lawsuits, said Mark McCreary, co-chair of Fox Rothschild LLP’s privacy and data security practice in Philadelphia.

“The legal liability for a company using a cloud service that is not properly secured is immense,” McCreary said. “It is on the business to make sure proper security protocols are implemented.”

Businesses risk having data falling into the wrong hands without proper cloud storage security protocols, Diachenko said. Data can often sit in the cloud in “buckets that can be accessed by anyone with AWS login credentials, rather than restricted to a small group with access permission,” he said.

UpGuard aims to reduce data breaches and exposures by providing security ratings and data leak detection to its customers. The company “combines third party security ratings, security assessment questionnaires, and threat intelligence capabilities to give businesses a full and comprehensive view of their risk surface,” according to its website.

The data accessed by UpGuard appeared to include information from current and prospective Tetrad clients, Vickery said. Such information could be combined with Tetrad’s data to help clients make decisions, such as where to locate future brick-and-mortar stores, he said.

The data included a spreadsheet of more than 700,000 Kate Spade online accounts as well as information from 3.8 million BevMo loyalty cards, Vickery said. UpGuard couldn’t determine whether the data was used or taken by cybercriminals or other third parties, he said.

“The publicly exposed data here reveals which households spent a few dollars on their respective offerings and which spent tens of thousands,” Vickery said.

Tapestry Inc.'s Kate Spade brand uses market analysis by Tetrad, company spokeswoman Andrea Shaw Resnick said. “To conduct this market analysis, Kate Spade shares certain sales data with Tetrad,” Resnick said. “However, we have confirmed that does not include any personally identifiable information.”

A Beverages & More spokesperson didn’t immediately comment.

Household Data

Tetrad’s files also included consumer profile information on many American households that was culled from database firm Experian Plc, consumer segmentation analysis company Claritas LLC, publicly available U.S. census data, and other sources, according to UpGuard’s report and screenshots reviewed by Bloomberg Law.

Experian spokesman Scott Anderson said his company provided Tetrad with information that is not personally identifiable and is “commonly used in the marketing industry.” He said the information comes from sources that are publicly and commercially available.

Claritas spokesman Cort Irish said Tetrad licenses his company’s data through a third party and that Claritas has reached out to that party for an update.

The data also included information about Chipotle Mexican Grill Inc.’s potential use of an IBM Corp. tool called TRIRIGA to help find potential customers, Vickery said. A publicly accessible spreadsheet listed 4,000 actual and planned Chipotle locations related to TRIRIGA deployment, he said.

Laurie Schalow, chief corporate reputation officer for Chipotle, said Tetrad doesn’t have access to any of Chipotle’s consumer data. “The files being referenced date back to 2015 and contain Chipotle restaurant locations and phone numbers,” she said.

IBM didn’t immediately respond to requests for comment.

(Updated with additional reporting)

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editors responsible for this story: John Hughes at; Keith Perine at