Highly personal identifying information of nearly 34 million Americans, collected for a corporate database, has leaked online Credit: Beverly & Pack The personal identifying information (PII)—names, email addresses, phone numbers, physical addresses, employers and job titles—for 33,698,126 Americans has been leaked online.The data, a 52.2GB CSV file, came from a commercial corporate database. Security researcher Troy Hunt determined that the breach came from NetProspex, a service provided by Dun & Bradstreet, which ironically was named as a 2017 world’s most ethical company.The leaked database is currently listed as the 16th biggest breach on Have I Been Pwned, meaning more people were affected than in the Ashley Madison breach and fewer than in the Last.fm breach. Hunt wrote on HIBP:In 2016, a list of over 33 million individuals in corporate America sourced from Dun & Bradstreet’s NetProspex service was leaked online. D&B believe the targeted marketing data was lost by a customer who purchased it from them. It contained extensive personal and corporate information including names, email addresses, job titles and general information about the employer.Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addressesNetProspex describes what it does as: We help marketers develop and manage their B2B data. Our multi-faceted data quality processes — backed by the world’s largest commercial database and seamless integration into your marketing systems — enables you to identify the best opportunities, build stronger relationships and accelerate growth for your company.All the records are from the U.S., Hunt said, with the most — over 4 million records — coming from California, followed by 2.7 million from New York and 2.6 million from Texas.Hunt further provided a breakdown of the top 10 companies in the data set, listing how many records were from each: DOD Cce.: 101,013United States Postal Service: 88,153AT&T Inc.: 67382Wal-Mart Stores, Inc.: 55,421CVS Health Corporation: 40,739The Ohio State University: 38,705Citigroup Inc.: 35,292Wells Fargo Bank, National Association: 34,928Kaiser Foundation Hospitals: 34,805International Business Machines Corporation: 33,412Regarding the Department of Defense, there were over 10,000 “unique job titles such as ‘Soldier’ (which was the most common with 2.7k entries), but also titles like ‘Ammunition Specialist’ (91 people) and ‘Chemical Engineer’ (32), along with the sorts of roles you’d expect in the army such as ‘Intelligence Analyst’ (715) and ‘Platoon Sargent’ (670).”Hunted added, “When you look at that list and ask ‘How would the US military feel about this data – complete with PII and job title – being circulated,’ you can’t help but feel it poses some serious risks. (The ISIS kill list of last year was one of the first things I thought of.)”After ZDNet’s Zach Whittaker, whose PII was also included in the leaked corporate database, reached out to Dun & Bradshaw, the company said, “We’ve carefully evaluated the information that was shared with us, and it is of a type and in a format that we deliver to customers every day. Based on our analysis, it was not accessed or exposed through a Dun & Bradstreet system.”It was not saying the 6-month old bulk data did not originally belong to Dun & Bradshaw, just that its own systems were not compromised. It claims to have sold the data “to ‘thousands’ of companies.” It was attempting to determine which third-party company exposed the copy of the database, but that it was “difficult.” Lastly, it emphasized that the data collection complied with U.S. laws, but contained “no PII data.”Hunt disagrees, writing, “When you have someone’s first and last names, their job title and their email address along with the company they work for, you have PII. And that’s really what makes this a highly volatile collection of data; this much personal information on this many people and set in the context of their professional roles poses numerous risks to the organizations involved here.”Hunt pointed back at what Tim Berners-Lee recently said on the 28th anniversary of the web, agreeing that we have lost control of our personal data. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe