The personal identifying information (PII)—names, email addresses, phone numbers, physical addresses, employers and job titles—for 33,698,126 Americans has been leaked online.
The data, a 52.2GB CSV file, came from a commercial corporate database. Security researcher Troy Hunt determined that the breach came from NetProspex, a service provided by Dun & Bradstreet, which ironically was named as a 2017 world’s most ethical company.
The leaked database is currently listed as the 16th biggest breach on Have I Been Pwned, meaning more people were affected than in the Ashley Madison breach and fewer than in the Last.fm breach. Hunt wrote on HIBP:
In 2016, a list of over 33 million individuals in corporate America sourced from Dun & Bradstreet's NetProspex service was leaked online. D&B believe the targeted marketing data was lost by a customer who purchased it from them. It contained extensive personal and corporate information including names, email addresses, job titles and general information about the employer.
Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses
NetProspex describes what it does as:
We help marketers develop and manage their B2B data. Our multi-faceted data quality processes — backed by the world's largest commercial database and seamless integration into your marketing systems — enables you to identify the best opportunities, build stronger relationships and accelerate growth for your company.
All the records are from the U.S., Hunt said, with the most — over 4 million records — coming from California, followed by 2.7 million from New York and 2.6 million from Texas.
Hunt further provided a breakdown of the top 10 companies in the data set, listing how many records were from each:
- DOD Cce.: 101,013
- United States Postal Service: 88,153
- AT&T Inc.: 67382
- Wal-Mart Stores, Inc.: 55,421
- CVS Health Corporation: 40,739
- The Ohio State University: 38,705
- Citigroup Inc.: 35,292
- Wells Fargo Bank, National Association: 34,928
- Kaiser Foundation Hospitals: 34,805
- International Business Machines Corporation: 33,412
Regarding the Department of Defense, there were over 10,000 “unique job titles such as ‘Soldier’ (which was the most common with 2.7k entries), but also titles like ‘Ammunition Specialist’ (91 people) and ‘Chemical Engineer’ (32), along with the sorts of roles you'd expect in the army such as ‘Intelligence Analyst’ (715) and ‘Platoon Sargent’ (670).”
Hunted added, “When you look at that list and ask ‘How would the US military feel about this data - complete with PII and job title - being circulated,’ you can't help but feel it poses some serious risks. (The ISIS kill list of last year was one of the first things I thought of.)”
After ZDNet’s Zach Whittaker, whose PII was also included in the leaked corporate database, reached out to Dun & Bradshaw, the company said, “We've carefully evaluated the information that was shared with us, and it is of a type and in a format that we deliver to customers every day. Based on our analysis, it was not accessed or exposed through a Dun & Bradstreet system.”
It was not saying the 6-month old bulk data did not originally belong to Dun & Bradshaw, just that its own systems were not compromised. It claims to have sold the data “to ‘thousands’ of companies.” It was attempting to determine which third-party company exposed the copy of the database, but that it was “difficult.” Lastly, it emphasized that the data collection complied with U.S. laws, but contained “no PII data.”
Hunt disagrees, writing, “When you have someone's first and last names, their job title and their email address along with the company they work for, you have PII. And that's really what makes this a highly volatile collection of data; this much personal information on this many people and set in the context of their professional roles poses numerous risks to the organizations involved here.”
Hunt pointed back at what Tim Berners-Lee recently said on the 28th anniversary of the web, agreeing that we have lost control of our personal data.