Alteryx alert

You may have missed this over the Christmas period, but Alteryx was the subject of a massive data breach (120 million records) earlier in December. There’s a detailed discussion of this here. In short, this was a lot of marketing data but without any actual names involved. Alteryx has argued that the lack of names means that the breach is not a big deal. I disagree: it wouldn’t be difficult to match this with other data that does include names.

There are two issues here. The first is that I have repeatedly asked data preparation vendors – of which Alteryx is one – whether they provide data masking or partner with a data masking vendor. The answer I usually get is either “no” or a vague “it’s on our roadmap: sometime in the future”. Vendors in this space have consistently ignored the fact that the business analysts and data scientists who use their tools are not allowed to see private data (GDPR) or personally identifiable information (PII).

The second issue is how much this harms Alteryx? The short answer is – and probably should be – a lot. Bear in mind that Alteryx is not a user organisation but a software provider. It should know better. On the other hand, bearing in mind my comments in the previous paragraph, you could argue that Alteryx was unlucky and that this could have happened to one of its competitors. That’s true. But it didn’t. Whenever an analyst or reviewer writes about Alteryx in the future you’re always going to get this data breach caveat: that is going to be seriously painful.