33.7M records leaked from US commercial database

Dive Brief:

  • Approximately 33.7 million records from a commercial corporate database have been leaked, according to Troy Hunt, who runs breach notification site Have I Been Pwned and serves as a Microsoft regional director in Australia.
  • U.S. business services company Dun & Bradstreet confirmed it owned the leaked database, which it acquired when it bought NetProspex in 2015, ZDNet reports. Hunt obtained the database and analyzed the records, which include email addresses, job titles and functions, work email addresses and numbers and other contact details from employees of thousands of companies. 
  • Of the 52GB of information held in the database, California was the most represented demographic, with more than four million records, followed by New York with 2.7 million records and Texas with 2.6 million records. Many of the records came from federal government agencies, including the Department of Defense, the U.S. Postal Service, the U.S. Army, Air Force, and the Department of Veterans Affairs. Thousands of records also came from private sector businesses, including companies like AT&T, Boeing, Dell, FedEx, IBM and Xerox.

Dive Insight:

NetProspex data can be bought by companies and used by marketers to conduct email campaigns or other marketing activities. So although D&B confirmed it owns the database, figuring out who actually leaked the data may be impossible because it’s been distributed to lots of customers over the years.

In a statement to ZDNet, a spokesperson for Dun & Bradshaw downplayed the incident, writing in an emailed statement that the data was not exposed through one of their systems, and that the type of data leaked is the same type they "deliver to customers every day."

But having all the data aggregated in one place is what makes it oh so valuable to cybercriminals.

"All this personal identifiable information in one place makes it easy for those with malicious intent to develop targeted whale phishing campaigns and W-2 BEC scams," said Brian Vecci, technical evangelist at Varonis. "It's clear organizations need to understand where their information assets are, who is using them, and who is responsible for them so they can detect malicious activity before it becomes a massive loss."

At this point, data is so prolific, it’s questionable whether people can even attempt to control it anymore. Still, companies that collect such data need to go to great lengths to protect, or risk a PR nightmare like the one D&B is facing right now.

Filed Under: Security