A 52.5 GB NetProspex file of nearly 34 million US business contacts was recently stolen. Dun & Bradstreet did not indicate how the MongoDB database was purloined, but indicated it suffered no data breaches and the file was likely stolen from a customer. “We’ve carefully evaluated the information that was shared with us and it is of a type and in a format that we deliver to customers every day. Based on our analysis, it was not accessed or exposed through a Dun & Bradstreet system,” the firm said in a statement to ZD Net.
The file was believed to be six months old. While it was built and sold for legitimate sales and marketing purposes and complies with US law, it could be used for spamming and spear phishing. “It’s an absolute goldmine for phishing because here you have a huge amount of useful information from which to craft attacks,” said Internet security advocate Troy Hunt who publicized the breach. “From this data, you can piece together organizational structures and tailor messaging to create an air of authenticity and that’s something that’s attractive to crooks and nation-state actors alike.”
Content includes business contact information; job titles, functions, and levels; current employer; and employer firmographics including size, industry, location, and D-U-N-S Number. Their file does not contain personal emails, phones, biographics, or any kind of consumer credit data as Dun & Bradstreet strictly collects B2B company and contact intelligence. However, the file does contain extensive business and government employee data such as 100,000 Department of Defense and a combined 75,000 Army, Air Force, and VA contacts.
Dun & Bradstreet should evaluate whether retaining titles for military and security agencies is in their best interest (and the country’s). For example, being able to identify 715 military Intelligence Analysts makes it easy for nefarious parties to spearphish them. This may be a case where losing the actual job title and simply mapping the title to a job function (e.g. procurement, security, medical, R&D) would make sense. Another option might be to track only government officials whose name appear in official sites and publications. As the government publishes bid data through FedBizOpps, procurement contacts would still be available for commercial purposes.
“Whilst you could piece together parts of the data from information already in the public domain, having it aggregated and so easily searchable in this fashion is enormously valuable,” said Hunt. “It also serves as a reminder that we’ve lost control of our privacy; the vast majority of people in the data set would have no idea their information is being sold in this fashion and they certainly don’t have any control over it.”
If you would like to check on whether your personal or business email information have been stolen, Hunt has setup a free site which tracks over 200 stolen databases. Registration takes about 3 minutes (you need to validate that you are researching your own contact information). The site will also advise you if your email appears in future breaches.