The list includes details on DoD employees, army men & more

Mar 15, 2017 22:21 GMT  ·  By

Some 33.8 million unique email addresses and other contact information from employees of thousands of companies across the United States have been leaked in a massive database of 52GB in size. 

While this is certainly not the first time such a database has leaked, it's one of the most clearly formatted ones, and it comes from Dun & Bradstreet, which is a business service giant. The company has admitted that it owns the database and it was acquired as part of a 2015 deal to buy NetProspex for $125 million, ZDNet reports.

The database landed on Troy Hunt's digital doorstep, the man behind the famous Have I Been Pwned website which puts together data leaks that you can search through to see if your email pops up.

The leaked database contains dozens of fields including personal information such as names, job titles, functions, work email addresses, and phone numbers, as well as details about the workplace such as estimated revenue, number of employees, and so on.

This is the type of database that marketers use to directly target email campaigns and other types of campaigns for customers, old and new.

High value

Although Dun & Bradstreet has paid a nice sum for the entire database, it has certainly gained quite a bit of it back. A brochure from about two years ago indicates that companies can access half a million records up to $200,000. Since this database alone has over 33 million, we can imagine there were plenty of buyers.

According to Troy Hunt, who went through the database, all the data is from the United States. The most records, 4 million of them, come from California, followed by New York with 2.7 million records and Texas with 2.6 million records.

High-risk list

The leading organization by records is the Department of Defense, which is quite worrying considering the sensitive nature of the information there. There are over 100,000 military personnel records, over 10,000 unique job titles, such as Soldier, or Ammunition Specialist, or Chemical Engineer.

Next was the US Postal Service with over 88,000 employee records, the US Army, Air Force and Department of Veterans Affairs with a combined 76,000 records.

It's true that most of this data can be easily gathered since it's all public, but having it all in one location, easily searchable, is immensely valuable.

"It also serves as a reminder that we've lost control of our privacy; the vast majority of people in the data set would have no idea their information is being sold in this fashion, and they certainly don't have any control over it," Hunt says.

Dun & Bradstreet admits that the database is theirs, but says its systems were not breached or exposed. In fact, it mentions that most of the data had been sold to "thousands" of other firms.

"Dun & Bradstreet maintains that neither they or NetProspex suffered a breach or caused the leak. If true and the leak stemmed from one of their customers, which represents a new dimension of third party risk. While customers don't have ongoing relationships in the way that vendors and suppliers do, they still can pose risk when licensing and buying data in bulk," says Stephen Boyer, co-founder and CTO of third-party risk management and security ratings firm BitSight.

"Moreover, this leak allows cyber criminals to carry out whaling attacks for large enterprises. Some organizations have over 100,000 employee records compromised in this breach and may witness an uptake in targeted phishing attacks and fraud schemes," he adds.