Alert: Vast Marketing Database Leaked. 33.7 Million Records Made Public

A sizable cache of personal information has been made public, with 33.7 million records being exposed. While not technically dangerous in its own right, this data could potentially be used to enable those with less-than-noble intentions.

The 53 GB leaked database, contained email addresses, corporate data, and other professional details. Very professionally organized and strictly targeted to the United States, the database was clearly designed for marketing purposes. Somewhere along the line, however, the database found its way outside the creator’s control and is now available to many more than they ever intended.

The list was originally a customer profile database, available from business service firm Dun & Bradstreet for a fee. While such a list would be relatively harmless in the hands of legitimate marketing firms, the public should be concerned that malicious hackers can now access this information.

Troy Hunt, who manages Have I Been Pwned, a site that alerts users if their data may have been jeopardized in a breach or leak, gave his own analysis. According to Hunt, the most common organizations to appear in the records are the following, in order, along with the number of records associated with each:

• United States Department Of Defense: 101,013
• United States Postal Service: 88,153
• AT&T Inc.: 67382
• Wal-Mart Stores, Inc.: 55,421
• CVS Health Corporation: 40,739
• The Ohio State University: 38,705
• Citigroup Inc.: 35,292
• Wells Fargo Bank, National Association: 34,928
• Kaiser Foundation Hospitals: 34,805
• International Business Machines Corporation: 33,412

Putting aside the risks to national security the public availability of this list presents, consider the impact it could have on any of the companies listed on it. It more or less reads as a phishing scam targeting guide. With the names, titles, and contact info for high-ranking targets laid out, a phishing campaign would be simple to put together, enabling the perpetrator to wreak havoc on their targets from a very convincing vantage point--one that’s more or less theirs to choose.

And of course, we have to return to the fact that there is military and government data on this list as well. Just as with the rest of this list, these names are accompanied by their job title. According to Hunt, while “Soldier” was the most common entry in the DoD’s share of the record, there were more specific titles, such as “Chemical Engineer” and “Intelligence Analyst.”

The security expert posed a very apt question about these records, "How would the U.S. military feel about this data - complete with PII and job title - being circulated?" and mentioned the very real concerns this data brings up. Hunt explicitly mentioned the prevalence of state-sponsored hacking attacks and pointed out how valuable this list could potentially be to an unsympathetic foreign power.

The most important takeaway from this event was also summed up by Hunt. According to the security expert, there’s “zero” chance of the data being reclaimed.

As far as Dun & Bradstreet is concerned, the company does not seem worried. An emailed statement from a company spokesman outlined that, in no uncertain terms, the business services provider is in no way, shape, or form at fault for this breach.

Their argument cited that Dun & Bradstreet had not found any evidence of a breach within its own systems. Pairing that with the fact that the data matched up perfectly to what they had sold in bulk to, according to them, thousands of other companies. Dun & Bradstreet also pointed out that the data appeared to be six months old.

In their statement, Dun & Bradstreet worked to minimize the perception of the threat this data could cause, stating the list was made up of “generally publicly available business contact data.”

This, however, does nothing to make the leak of this information less of a potential danger.

If you’re concerned about any potential vulnerabilities you may be subject to, there are two steps you should take right now. It may not be a bad idea to check out Have I Been Pwned, to see if your data has ended up where it shouldn’t. To proactively protect your business against these threats, give us a call here at vCTO Secure. We’ll help your business secure its data against other leaks like this one. Call us at (206) 895-5595.