Personal and contact information on over 33 million employees of various US-based corporations and federal agencies like the Department of Defense has been leaked.
The database, shared with security researcher Troy Hunt, was handed over to him by a source who has been “quite reliable in the past,” but it is unknown how that source got it.
What’s in the leaked database?
Each record contains a person’s first and last name; job title, function and level email; contact phone number and email address; the name of the employer and information about that company or organization (address, phone number, web address, number of employees, revenue, industry, parent company and the same info about that company).
This particular database is US-centric, and contains information about employees of the Department of Defense, US Postal Service, AT&T, Wal-Mart, Citigroup, the Ohio State University, FedEx, Boeing, and many other organizations.
Owner of the leaked data
Each entry is marked with a “netprospex contact id”, which allowed Hunt to pinpoint the owner of the leaked data: NetProspex is a service provided by Dun & Bradstreet, a US business services company that provides commercial data to businesses on business-to-business sales and marketing, supply chain management, social identity matching, and so on.
After being contacted and shown the data, the company confirmed that it was definitely collected by them.
They sell the data to thousands on customers, and some of those customers proceed to sell it to other customers. “In terms of where this data specifically came from, D&B don’t believe it was directly from one of their systems and with thousands of customers purchasing this information, we may well never know who lost it,” Hunt commented.
How was the data exposed?
What seems more than likely is that some of the buyers of the data ended up inadvertently exposing it by not protecting their database, and someone downloaded it and possibly offered it for sale on underground forums.
While the leaked data is not secret, and can be found by anyone who knows how to use an Internet search engine, it’s helpful to have it all in one place to make targeted marketing efforts easier.
But this type of information can also come in handy to fraudsters and criminals, as it can be misused to impersonate employees and trick others into sharing more sensitive information (e.g. corporate W-2 forms) or to perform CEO fraud, or worse.
Hunt made the data searchable through his Have I Been Pwned? service, but even if your data is there, there’s nothing you can do about the leak.
“The simple reality today is that our personal data is spread across places well beyond our control,” Hunt noted.