Dun & Bradstreet Marketing Database Exposed

A Dun & Bradstreet database, 52 GB in size and containing more than 33.6 million records with very specific details, has been exposed.

Cybersecurity researcher Troy Hunt, who received the database for study, on Wednesday confirmed that the records already were organized and developed as if intended for distribution to a potential client.

The database belonged to NetProspex, a firm purchased by Dun & Bradstreet in 2015 for US$125 million, ZDNet confirmed. NetProspex had compiled the database — which included personal information including names, job titles, job responsibilities and work email addresses and phone numbers — for e-marketers, by all accounts.

It presumably was meant as a tool to target customers via email campaigns and other communication methods. It is the type of data that can be purchased by clients and broken down either via bulk email addresses, or by specific records such as by company or industry.

No highly sensitive personal information was included in the records, however, according to Dun & Bradstreet.

“Based on our analysis, it is our determination that there has been no exposure of sensitive personal information from, and no infiltration of, our system,” a Dun & Bradstreet spokesperson said in a statement provided to the E-Commerce Times by company rep Deborah McBridge.

“The information in question is data typically found on a business card,” the spokesperson added. “As general practice, Dun & Bradstreet uses an agile security process and evaluates and evolves security controls to protect the integrity of our data. Generally, our legal agreements do require our customers to safeguard and maintain the confidentiality of the data they receive.”

Devil in the Details

The database includes information only on Americans, Hunt found. California has the highest representation with more than 4 million records, followed by New York with 2.7 million, and Texas with 2.6 million records.

That is in line with the population breakdown of the United States in general.

The database is quite diverse, including information on organizations in the government and military sectors, as well as individuals in the commercial sector. The database includes details on more than 100,000 individuals working for the Department of Defense, and more than 88,000 employee records from the United States Postal Service. There are more than 76,000 records from the United States Army and United States Air Force combined.

On the corporate side, the database includes records from several large-scale businesses, including AT&T, Boeing, Dell, FedEx, IBM and Xerox, as well as Walmart, CVS Health Corporation, Wells Fargo Bank, Citigroup and Kaiser Foundation Hospitals.

Ohio State University is one of the centers of higher education listed by Hunt, with 38,705 of its employee records turning up in the database.

Digital Commodity

How the information was stolen isn’t yet clear, but it doesn’t appear that great sophistication was required, which is in itself worrisome.

“The D&B breach shines an uncomfortable light on a common fact of modern life — that companies of most every sort consider personal customer information to be a valuable commodity,” said Charles King, principal analyst at Pund-IT.

“Once consumers provide information to businesses and other organizations, they have virtually no control over how it is handled, and few options when it is mishandled,” he told the E-Commerce Times.

“This hack shows that these types of databases are the low-hanging fruit for hackers,” said Pierre Roberge, chairman of Arc4dia.

“This wasn’t a very technical hack, and there probably isn’t a lot of money that will be made from it, but for some hackers this is enough so that they can eat and live,” he told the E-Commerce Times.

Going Into Crisis Mode

Companies have been challenged to come up with effective responses to data breaches, cyberattacks and other hacks.

“Organizations that have been hacked or breached would do well to address the situation with full transparency,” noted King.

“In fact, Yahoo’s situation is an exemplar of the bad tidings that can occur for a company and its shareholders when lack of transparency is the rule,” he told the E-Commerce Times.

“Though Dun & Bradstreet insisted that no personally identifiable information was exposed, reports that the database includes people’s first and last names, their job titles, email addresses, and the organizations they work for suggests otherwise,” King said. “The company would do well to get out in front of this or risk suffering long-term damage. “

Threat Level

Compared to recent cyberattacks and security breaches, this leak could rank more as an annoyance than as a grave security concern.

“This isn’t voter data rolls, or very personal information such as what we saw in the Office of Personnel Management or healthcare breaches,” said Eric Hodge, director of consulting at security research firm CyberScout.

“However, it could be a great first step for identity theft,” he told the E-Commerce Times.

“The information can make it more convenient for criminals, but this information is already out there and could be picked off LinkedIn or Facebook,” added Hodge.

“The bigger worry from this is that it casts a light on the global state of cybersecurity,” observed Arc4dia’s Roberge.

“It might not be very sensitive, but it shouldn’t end up on the black market so easily,” he said.

Follow-Up Attacks

Identity theft is the biggest potential concern resulting from an attack like this one, but unlike the OPM breach, which included Social Security numbers, home addresses, and in many cases fingerprints, the information leaked here is less significant on a personal level.

“This is in the ‘oh great, I’m going to get more spam’ — but anyone who thinks their information was breached should be more aware,” cautioned Hodge.

“I’d suggest checking credit card bills more closely, checking credit scores, and generally being vigilant,” he said, even though “this isn’t the type of breach that should be cause for huge alarm.”

Still, enterprising hackers could use corporate email addresses in dangerous ways.

“The challenge with a breach of this nature is that it provides a lot of raw material for nefarious attackers to craft very convincing phishing or social engineering campaigns against decision-makers in corporations,” said Dwayne Melancon, vice president of products at security and compliance firm Tripwire .

“Organizations should warn executives,” he told the E-CommerceTimes, “and educate them on the warning signs of business email compromise schemes.”

Mind of the Marketer

The thieves apparently meant to sell the database to unscrupulous marketers.

“This does cast the spotlight inside the seamy underbelly of what you agree with when you check on agreements to use your personal information,” noted CyberScout’s Hodge.

“This information is what is considered acceptable to share when you check the box on agreements without reading the fine print,” he added. “It will open the eyes to what you give in the way of information to reputable companies, and this is good illustration of the reality of how this information is then shared.”

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.Email Peter.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Peter Suciu
More in Cybercrime

Technewsworld Channels

5 Cyber Safety Tips To Survive the Internet, Hackers and Scammers

phone fraud hacker

Navigating the internet can be a trouble-filled journey. Bad actors intent on exploiting uninformed users are constantly lurking behind emails, websites, and social media invites. Even your Wi-Fi router and those now-ubiquitous QR codes can be danger points. Add to that, the never-ending virus and malware threats.

Computer and mobile device users are often unaware of the danger zones. However, the internet need not be a constant trip through the badlands. What it takes to stay protected online is knowing what to avoid and how to protect yourself.

Here are five things in your control to help keep your digital activity safe.

1. QR Codes, Handy but Potentially Harmful

QR Code for TechNewsWorld.com
A safe QR code for TechNewsWorld.com

These postage-size image links to websites can be convenient. Just point your smartphone camera at it and instantly go to a website, tech support location, discount offer on a purchase, or restaurant menu.

However, QR codes can also take you to a nefarious place where malware or worse is waiting. QR codes can be programmed to link to anything, putting your privacy and security at big risk.

Think before you scan a QR code. If the code is displayed on a website or printed document you trust, it is probably a safe. If not, or you are unsure, check it out.

You can download reputable QR reader apps that will perform a security check on the endpoint of the QR code’s destination. One such safety tool I use is the Trend Micro QR Scanner app, available for Android and iOS.

2. Avoid ‘Unsubscribe’ Email Scams

This is a popular ongoing scam that has a high success rate for hackers. Potential victims get an email for a product offer or other business invitation. The opt-out action step is enticing, looks familiar, and sounds reasonable. “Don’t want to receive our emails? Click here to unsubscribe,” it beckons.

Sometimes the annoying repeat emails ask if you want to unsubscribe from future emails. Some even offer you a link to cancel a subscription.

Do not select any options. Clicking on the links or replying confirms your active address.

Never input your email address in the “unsubscribe me” field, either. More senders will follow.

A better solution to deleting the unwanted email, especially from an unknown sender, is to mark it as spam. That moves it to the spam folder. You also can add that sender to your email program’s block list, or set up a filter to automatically delete it before it reaches your inbox.

Finally, check out the free service Unroll.me. There you can unsubscribe from unwanted emails, keep others, or get the rest in a daily digest.

3. Lockout Facebook Hackers

Other villains try to usurp Facebook accounts. Hackers can change your password, email address, phone number, and even add a security code to lock you out of the pirated account. Before trouble happens, be proactive to prevent these situations. Facebook provides the following security settings you need to enable.

Enable two-factor authentication (2FA) to require your login approval on a separate device.

To do this, log in to your Facebook account on a desktop computer and navigate to Settings & privacy. Next, select Security and login. Then scroll down and edit the Two-factor authentication option. 

Facebook two-factor authentication settings

To complete this step, you must enter your Facebook password.

Activate these two additional features to block Facebook hackers:

  • Turn on the Code Generator feature in the Facebook mobile app
  • Set up login alerts to your email

First, open the Facebook mobile app and tap the magnifying glass, enter the term “code generator” and tap the search icon. Tap the result Code Generator to navigate to the next screen, then tap the button “Turn On Code Generator” to get a 6-digit code that changes every 30 seconds. You must enter this code within that short time span to login to your account on another device.

Next, set up alerts about unrecognized logins. You can do this from either a computer or a mobile device.

  • Computer: go to Settings & privacy > Settings > Security and login > Get alerts about unrecognized logins (see above screenshot).
  • Mobile app: tap Menu > Settings & privacy gear icon > Settings. Then tap Password and security. Next, scroll to Setting Up Extra Security > Get alerts about unrecognized logins > tap to select your preferred notification methods.

If you have trouble logging in, head to facebook.com/login/identify to fix the problem. If you are unable to login there, go to this Facebook help page instead and fill out the request form for Facebook to review your account. You will need to answer a few security questions to prove your identity. This might include providing proof of ID like a photo of a driver’s license.

4. Secure Your Wi-Fi Router

The flood of people working remotely since Covid put home Wi-Fi routers squarely in hackers’ target sights. As a result, malware attacks on home Wi-Fi networks are on the rise because residential setups often lack the level of security and protection that is found on enterprise networks.

One nasty attack tool, dubbed ZuoRAT, is a remote access trojan designed to hack into small office/home office routers. It can affect macOS, Windows, and Linux computers.

With it, hackers can collect your data and hijack any sites you visit while on your network. One of ZuroRAT’s worst factors is that once your router is infected, it can infect other routers to continue spreading the hackers’ access.

Apply these steps to better secure your home/office Wi-Fi network:

  • Be sure to enable WPA2 or WPA3 encryption on your routers. The default factory setting is often the outdated WEP (Wired Equivalent Privacy) security protocol, or none is set at all. Check the user manual or the router manufacturer’s website for directions.
  • Change your router’s SSID (Service Set Identifier) and password. This is critical. Typically, the factory setting shows the router’s make or model and has a universal password such as 0000 or 1234. Rename the SSID to not easily identify you. Avoid names that include, for example, all or parts of your name or address. Make sure the password is very strong.
  • For added protection, change the router’s password regularly. Yes, this is a big inconvenience because you also must update the password on all your devices that use that Wi-Fi network. But considering it will keep out hackers, it is well worth the hassle.
  • Keep the router’s firmware updated. Check the user manual and/or the manufacturer’s website for steps to download the latest updates.

How do I create a password that is hard to hack?

The strongest passwords have all these characteristics:

  • Lengthy — the more characters, the better
  • A mix of upper-case and lower-case letters, numerals, and special characters
  • No dictionary words or anything related to personal information

Pro Tip: When using a password generator, always change at least a few characters from the random result to create your final credentials.

5. Beware of Phony Tech Support Schemes

Some fraudsters call on the phone to tell you they are a tech support division working for a well-known computer or software company. The caller claims to be calling in response to an alert from your computer of a virus detection or malware on your device. The scammer offers to fix it if you simply provide your credit card number.

Hang up. Your computer is not infected.

A modified version of this tech support scam is a text or email claiming the same details. Do not reply. Just delete the message and move on.

You might also be browsing the web when a pop-up message crashes onto your screen. I have received very loud audio alerts warning me that my computer is at risk and not to turn it off without responding for help.

In all these cases, the scammers want to scare you to comply with their instructions. The action they want you to take to let them fix the alleged problem will hurt your bank account and possibly let them transmit real infections.

Follow these best practices to protect yourself from tech support fraud:

  • Never let a scammer con you into going to a website or clicking on a link.
  • Never agree to a remote connection by the so-called tech support agent that initiated contact to you.
  • Never give payment information in exchange for technical support you did not initiate. Legitimate tech companies will not call you and ask for payment to fix a problem they claim to have discovered on your device.

If you suspect your computer has a virus or malware problem, initiate contact with a repair center yourself. You probably already have a support plan or active warranty from where you purchased the computer. If you have not contacted a tech support company, the call or message you received is illegitimate.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cybersecurity

Top Universities Exposing Students, Faculty and Staff to Email Crime

Nearly all the top 10 universities in the United States, United Kingdom, and Australia are putting their students, faculty and staff at risk of email compromise by failing to block attackers from spoofing the schools’ email domains.

According to a report released Tuesday by enterprise security company Proofpoint, universities in the United States are most at risk with the poorest levels of protection, followed by the United Kingdom, then Australia.

The report is based on an analysis of Domain-based Message Authentication, Reporting and Conformance (DMARC) records at the schools. DMARC is a nearly decade-old email validation protocol used to authenticate a sender’s domain before delivering an email message to its destination.

The protocol offers three levels of protection — monitor, quarantine, and the strongest level, reject. None of the top universities in any of the countries had the reject level of protection enabled, the report found.

“Higher education institutions hold masses of sensitive personal and financial data, perhaps more so than any industry outside healthcare,” Proofpoint Executive Vice President for Cybersecurity Strategy Ryan Kalember said in a statement.

“This, unfortunately, makes these institutions a highly attractive target for cybercriminals,” he continued. “The pandemic and rapid shift to remote learning has further heightened the cybersecurity challenges for tertiary education institutions and opened them up to significant risks from malicious email-based cyberattacks, such as phishing.”

Barriers to DMARC Adoption

Universities aren’t alone in poor DMARC implementation.

A recent analysis of 64 million domains globally by Red Sift, a London-based maker of an integrated email and brand protection platform, found that only 2.1 percent of the domains had implemented DMARC. Moreover, only 28% of all publicly traded companies in the world have fully implemented the protocol, while 41% enabled only the basic level of it.

There can be a number of reasons for an organization not adopting DMARC. “There can be a lack of awareness around the importance of implementing DMARC policies, as well as companies not being fully aware of how to get started on implementing the protocol,” explained Proofpoint Industries Solutions and Strategy Leader Ryan Witt.

“Additionally,” he continued, “a lack of government policy to mandate DMARC as a requirement could be a contributing factor.”

“Further,” he added, “with the pandemic and current economy, organizations may be struggling to transform their business model, so competing priorities and lack of resources are also likely factors.”

The technology can be challenging to set up, too. “It requires the ability to publish DNS records, which requires systems and network administration experience,” explained Craig Lurey, CTO and co-founder of Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, in Chicago.

In addition, he told TechNewsWorld: “There are several layers of setup required for DMARC to be implemented correctly. It needs to be closely monitored during implementation of the policy and the rollout to ensure that valid email is not being blocked.”

No Bullet for Spoofing

Nicole Hoffman, a senior cyber threat intelligence analyst with Digital Shadows, a provider of digital risk protection solutions in San Francisco, agreed that implementing DMARC can be a daunting task. “If implemented incorrectly, it can break things and interrupt business operations,” she told TechNewsWorld.

“Some organizations hire third parties to help with implementation, but this requires financial resources that need to be approved,” she added.

She cautioned that DMARC will not protect against all types of email domain spoofing.

“If you receive an email that appears to be from Bob at Google, but the email actually originated from Yahoo mail, DMARC would detect this,” she explained. “However, if a threat actor registered a domain that closely resembles Google’s domain, such as Googl3, DMARC would not detect that.”

Unused domains can also be a way to evade DMARC. “Domains that are registered, but unused, are also at risk of email domain spoofing,” Lurey explained. “Even when organizations have DMARC implemented on their primary domain, failing to enable DMARC on unused domains makes them potential targets for spoofing.”

Universities’ Unique Challenges

Universities can have their own set of difficulties when it comes to implementing DMARC.

“A lot of times universities don’t have a centralized IT department,” Red Sift Senior Director of Global Channels Brian Westnedge told TechNewsWorld. “Each college has its own IT department operating in silos. That can make it a challenge to implement DMARC across the organization because everyone is doing something a little different with email.”

Witt added that the constantly changing student population at universities, combined with a culture of openness and information-sharing, can conflict with the rules and controls often needed to effectively protect the users and systems from attack and compromise.

Furthermore, he continued, many academic institutions have an associated health system, so they need to adhere to controls associated with a regulated industry.

Funding can also be an issue at universities, noted John Bambenek, principle threat hunter at Netenrich, a San Jose, Calif.-based IT and digital security operations company. “The biggest challenges to universities is low funding of security teams — if they have one — and low funding of IT teams in general,” he told TechNewsWorld.

“Universities don’t pay particularly well, so part of it is a knowledge gap,” he said.

“There is also a culture in many universities against implementing any policies that could impede research,” he added. “When I worked at a university 15 years ago, there were knock-down drag-out fights against mandatory antivirus on workstations.”

Expensive Problem

Mark Arnold, vice president for advisory services at Lares, an information security consulting firm in Denver, noted domain spoofing is a significant threat to organizations and the technique of choice of threat actors to impersonate businesses and employees.

“Organizational threat models should account for this prevalent threat,” he told TechNewsWorld. “Implementing DMARC allows organizations to filter and validate messages and help thwart phishing campaigns and other business email compromises.”

Business email compromise (BEC) is probably the most expensive problem in all of cybersecurity, maintained Witt. According to the FBI, $43 billion was lost to BEC thieves between June 2016 and December 2021.

“Most people don’t realize how extraordinarily easy it is to spoof an email,” Witt said. “Anyone can send a BEC email to an intended target, and it has a high probability of getting through, especially if the impersonated organization isn’t authenticating their email.”

“These messages often don’t include malicious links or attachments, sidestepping traditional security solutions that analyze messages for these traits,” he continued. “Instead, the emails are simply sent with text designed to con the victim into acting.”

“Domain spoofing, and its cousin typosquatting, are the lowest hanging fruit for cybercriminals,” Bambenek added. “If you can get people to click on your emails because it looks like it is coming from their own university, you get a higher click-through rate and by extension, more fraud losses, stolen credentials and successful cybercrime.”

“In recent years,” he said, “attackers have been stealing students’ financial aid refunds. There is big money to be made by criminals here.”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Cybersecurity