A Dun & Bradstreet database, 52 GB in size and containing more than 33.6 million records with very specific details, has been exposed.
Cybersecurity researcher Troy Hunt, who received the database for study, on Wednesday confirmed that the records already were organized and developed as if intended for distribution to a potential client.
The database belonged to NetProspex, a firm purchased by Dun & Bradstreet in 2015 for US$125 million, ZDNet confirmed. NetProspex had compiled the database — which included personal information including names, job titles, job responsibilities and work email addresses and phone numbers — for e-marketers, by all accounts.
It presumably was meant as a tool to target customers via email campaigns and other communication methods. It is the type of data that can be purchased by clients and broken down either via bulk email addresses, or by specific records such as by company or industry.
No highly sensitive personal information was included in the records, however, according to Dun & Bradstreet.
“Based on our analysis, it is our determination that there has been no exposure of sensitive personal information from, and no infiltration of, our system,” a Dun & Bradstreet spokesperson said in a statement provided to the E-Commerce Times by company rep Deborah McBridge.
“The information in question is data typically found on a business card,” the spokesperson added. “As general practice, Dun & Bradstreet uses an agile security process and evaluates and evolves security controls to protect the integrity of our data. Generally, our legal agreements do require our customers to safeguard and maintain the confidentiality of the data they receive.”
Devil in the Details
The database includes information only on Americans, Hunt found. California has the highest representation with more than 4 million records, followed by New York with 2.7 million, and Texas with 2.6 million records.
That is in line with the population breakdown of the United States in general.
The database is quite diverse, including information on organizations in the government and military sectors, as well as individuals in the commercial sector. The database includes details on more than 100,000 individuals working for the Department of Defense, and more than 88,000 employee records from the United States Postal Service. There are more than 76,000 records from the United States Army and United States Air Force combined.
On the corporate side, the database includes records from several large-scale businesses, including AT&T, Boeing, Dell, FedEx, IBM and Xerox, as well as Walmart, CVS Health Corporation, Wells Fargo Bank, Citigroup and Kaiser Foundation Hospitals.
Ohio State University is one of the centers of higher education listed by Hunt, with 38,705 of its employee records turning up in the database.
How the information was stolen isn’t yet clear, but it doesn’t appear that great sophistication was required, which is in itself worrisome.
“The D&B breach shines an uncomfortable light on a common fact of modern life — that companies of most every sort consider personal customer information to be a valuable commodity,” said Charles King, principal analyst at Pund-IT.
“Once consumers provide information to businesses and other organizations, they have virtually no control over how it is handled, and few options when it is mishandled,” he told the E-Commerce Times.
“This hack shows that these types of databases are the low-hanging fruit for hackers,” said Pierre Roberge, chairman of Arc4dia.
“This wasn’t a very technical hack, and there probably isn’t a lot of money that will be made from it, but for some hackers this is enough so that they can eat and live,” he told the E-Commerce Times.
Going Into Crisis Mode
Companies have been challenged to come up with effective responses to data breaches, cyberattacks and other hacks.
“Organizations that have been hacked or breached would do well to address the situation with full transparency,” noted King.
“In fact, Yahoo’s situation is an exemplar of the bad tidings that can occur for a company and its shareholders when lack of transparency is the rule,” he told the E-Commerce Times.
“Though Dun & Bradstreet insisted that no personally identifiable information was exposed, reports that the database includes people’s first and last names, their job titles, email addresses, and the organizations they work for suggests otherwise,” King said. “The company would do well to get out in front of this or risk suffering long-term damage. “
Compared to recent cyberattacks and security breaches, this leak could rank more as an annoyance than as a grave security concern.
“This isn’t voter data rolls, or very personal information such as what we saw in the Office of Personnel Management or healthcare breaches,” said Eric Hodge, director of consulting at security research firm CyberScout.
“However, it could be a great first step for identity theft,” he told the E-Commerce Times.
“The information can make it more convenient for criminals, but this information is already out there and could be picked off LinkedIn or Facebook,” added Hodge.
“The bigger worry from this is that it casts a light on the global state of cybersecurity,” observed Arc4dia’s Roberge.
“It might not be very sensitive, but it shouldn’t end up on the black market so easily,” he said.
Identity theft is the biggest potential concern resulting from an attack like this one, but unlike the OPM breach, which included Social Security numbers, home addresses, and in many cases fingerprints, the information leaked here is less significant on a personal level.
“This is in the ‘oh great, I’m going to get more spam’ — but anyone who thinks their information was breached should be more aware,” cautioned Hodge.
“I’d suggest checking credit card bills more closely, checking credit scores, and generally being vigilant,” he said, even though “this isn’t the type of breach that should be cause for huge alarm.”
Still, enterprising hackers could use corporate email addresses in dangerous ways.
“The challenge with a breach of this nature is that it provides a lot of raw material for nefarious attackers to craft very convincing phishing or social engineering campaigns against decision-makers in corporations,” said Dwayne Melancon, vice president of products at security and compliance firm Tripwire .
“Organizations should warn executives,” he told the E-CommerceTimes, “and educate them on the warning signs of business email compromise schemes.”
Mind of the Marketer
The thieves apparently meant to sell the database to unscrupulous marketers.
“This does cast the spotlight inside the seamy underbelly of what you agree with when you check on agreements to use your personal information,” noted CyberScout’s Hodge.
“This information is what is considered acceptable to share when you check the box on agreements without reading the fine print,” he added. “It will open the eyes to what you give in the way of information to reputable companies, and this is good illustration of the reality of how this information is then shared.”