A large direct marketing list now circulating on the grey market reveals highly sensitive data on 200 million U.S. citizens. Was it really necessary to collect it all? Credit: AndreyPopov / Getty Images If you don’t collect it, no one can steal it.Sometimes the best way to secure customer data is not to collect it in the first place. While it can be tempting to “collect it all” just in case, most enterprises need far less data on their users to market to them effectively. Reducing the amount of data collected means that in the inevitable event of a breach, the repercussions will be far less severe.“One of the things we’re hearing from consumer brands is that they’re doing less,” Gerry Murray, director of marketing and sales technology research at IDC, says. “They’re becoming more thoughtful about ‘what do we want to know about you?'”“For most commercial purposes you don’t need to know that many things about a person, and sometimes you’re better off not knowing,” he adds. The apparent breach of a 200 million-record direct marketing list that appears to originate from a 2015 opt-in list puts the issue into focus.What we know about the breached dataThe breached records, which contain 42 fields, including address, phone, marital status, income, financial net worth, race, gender and religion, appear to have been originally collected by Experian (although Experian denies this) and licensed to thousands of direct marketers around the world, meaning the breach could have happened at any one of them and not necessarily at Experian. The files do not contain social security numbers, driver license or passport numbers, or credit card numbers and are thus not as sensitive as other breaches, such as the United States Office of Personnel Management (OPM) breach that exposed detailed personnel files of US government employees. Taken in aggregate, however, the information paints a profile of American society at large and could be joined to other breached data by criminals or nation-state adversaries.This kind of direct marketing data ages rapidly, and a list like this that might have fetched hundreds of thousands of dollars in license fees in 2015 is today worth almost nothing to legitimate direct marketers, sources familiar with the industry tell CSO.The files all contain the word Experian in their name, and the fields match a direct marketing list advertised by a third party, Data Monster. (That list has since been removed from the Data Monster site.) Experian told CSO the data was not theirs, writing in an email, “We’ve investigated and this is not Experian’s data.” Data Monster also denied being the source of the breach, pointing out that such lists are licensed to thousands of call centers, and the breach could have originated from any one of them. Last week an unknown actor circulated a link on Ghostbin pointing to files shared on mega.nz containing 27.8 million records, including ten states. The erstwhile motive was to offer a large free sample to possible buyers. CSO was able to confirm that data belonging to select employees at IDG Communications, CSO’s publisher, was genuine. The links to the files on mega.nz have since been taken down.This is not the first time news of this purported data breach has popped up, but it is the first time actual data has been reported. In late 2016, hacker DoubleFlag offered a similar-sounding database for sale, but no data was released at that time. CSO reached out to DoubleFlag on two different email accounts but did not receive a reply.Experian suffered a confirmed data breach in 2015 of 15 million people, but that breach appears unrelated to the data currently circulating, as it contained social security numbers as well as driver’s license and passport numbers. The metadata of the data dictionary spreadsheet included with the leaked data includes a couple of tantalizing clues to its origin, including a 2009 creation date, an author named “Albert Kohl,” and a last edit by “Joe.” Metadata can be easily faked, however.Chalk up yet another data breachFormer Experian CISO for marketing and government services Jasun Tate, now chief intelligence and solutions officer at Bits & Digits, tells CSO that the hacker DoubleFlag is likely a nation-state cutout dropping dox so criminals will use the data and thus cover DoubleFlag’s tracks. “All these leaks…are part of a larger campaign from a mature and well-organized institution that has been collecting information on United States citizens for some time,” Tate tells CSO. “[They are] learning how we consume, think and are influenced to conduct more surgical campaigns against our institutions leveraging the big data that we throw around so flagrantly.” J.M. PorupThe fields shown in the CSV files of the exposed direct marketing listEven though Experian has denied that the data is theirs, we don’t know for sure whether Experian or a third party was asleep at the wheel when this data got loose. It almost doesn’t matter. The market has failed to select for strong cybersecurity controls, and the breaches will continue until regulation — and credit bureau security — improves.Until then, consider being proactive in reducing your enterprise’s data collection footprint. The easiest way to protect your employer from data exfil is to avoid having the data in the first place. In a post-GDPR, post-Cambridge Analytica world, smart brands will find a way to get on the good side of consumers and regulators. “Brands are now looking at how to differentiate themselves around the data relationship they have with their customers,” Murray says. “How they treat their customer data is how they treat their customers.” Related content news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe