Don’t Call it a Leak: D&B Unit Coughs up Data on 33m Professionals
Like the ‘flaming river’ that eventually prompted anti-pollution laws, the casual leak of data on 33 million U.S. professionals is a sign that our online environment is badly compromised. But can we fix it?
This week brought news of yet another massive leak of personal information: a database of contact information on some 33 million professionals compiled and sold by the firm NetProspex, part of Dun & Bradstreet (or D&B for short).
According to a blog post by security researcher Troy Hunt, the database of US professionals was provided to him by a reliable source and contains personal contact information including addresses, phone numbers and email addresses. The database is searchable by a variety of factors including employer and job description.
The data is a gold mine for businesses and marketers, but also for cybercriminals or nation-state hackers. There is information on more than 100,000 employees of the Department of Defense. Hunt notes that the “job titles” field includes entries such as titles such as "Soldier" (2,700 of them), "Chemical Engineer,” and "Intelligence Analyst" (there are 715 of those listed).
More than 33,000 IBM employees are listed in the database, as well as more than 67,000 AT&T employees. Individuals working for Citigroup, Wells Fargo and other Fortune 500 firms are also well represented in the data, Hunt notes.
What is the source of this leak of information? Does this even constitute a leak? Dun & Bradstreet says “we don’t know” and “no.” In an email statement to a ZDNet reporter, the firm noted that the information obtained by Hunt was not obtained by hacking the company’s systems and “the bulk data had been sold to ‘thousands’ of other firms,” any one of whom could be the source of the data.
Dun & Bradstreet also downplayed the risk to those whose data was exposed. The data obtained by the company is "generally publicly available business contact data, used for sales and marketing purposes."
That may be true individually for each person whose name appears in that database (that is: we could find this information about “John Smith” via public records searches). But it sorely downplays the importance and impact of the scale of this leak. Assuming you could fit all the D&B data for each person in this database on a single sheet of paper, that pile of papers would be more than 2.5 miles (4 kilometers) tall – higher than many mountains.
It is true that regulated financial or health information like bank account numbers wasn’t part of this data horde, nor was sensitive information like Social Security Numbers. But malicious actors don’t need all the data in one place. They can simply add this trove to other troves of information, then use software to correlate and integrate the new data, fleshing out fuller, richer profiles of individuals or organizations.
In writing about the leak, Troy Hunt noted a recent editorial by World Wide Web inventor Sir. Tim Berners Lee. Writing on the 28th anniversary of his original proposal sketching out the idea of a Web, the Internet luminary opined in The Guardian that 3 trends threaten to undermine the original promise of the Web. Top among the threats, is Berners Lee’s contention that “we’ve lost control of our data.”
“The current business model for many websites offers free content in exchange for personal data,” Berners Lee wrote. “As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise (sp) if we had direct control over this data and chose when and with whom to share it.”
That data, Berners Lee observes, is also an easy target for the prying eyes of governments and oppressive regimes. What Berners Lee doesn’t say, but that should be added, is that the aggregation of data in silos that are out of users’ direct control (or even knowledge) is a boon for cybercriminals and fraudsters as well as nation-state actors.
The Dun & Bradstreet leak, despite its size, is unremarkable. It comes within days of the exposure of sensitive information on some 4,000 Air Force officers including sensitive information like Social Security Numbers and details from confidential personnel files. Just yesterday, four men, including members of Russia’s FSB security services, were charged with hacking 500 million Yahoo! Accounts. In January, researchers discovered a database containing close to 400 million unique email addresses that belonged to River City Media, a notorious spam email outfit.
If this starts to look and sound like a slow-moving crisis, that’s because it is. As we learned with the flaming Cuyahoga River that Time Magazine documented in 1969 and that led to the passage of the Clean Water Act, public sentiment and the desire for action often takes years to crystallize (the same river caught fire on a dozen occasions prior to the ’69 incident, the earliest dating to the turn of the century). Simply put: people can accustom themselves to the most outrageous of conditions and become inured to them. What’s needed is an acute sense of outrage and a desire for change. We’ll see if the latest breaches bring that about. But, thus far, I’m not holding my breath.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business