Over 33mn US employee records, including military personnel, had their data hacked

15 Mar, 2017 16:47 / Updated 8 years ago

A database containing more than 33 million records of corporate and government employees has been leaked online, including records from the Department of Defense, US Postal Service, Wal-Mart, and Ohio State University.

The database belongs to Dun & Bradstreet which licenses information on businesses and corporations for use in credit decisions, business-to-business marketing, and supply chain management. In 2013, they held over 225 million business records from companies around the globe.

The leak of the 52.2 Gigabyte corporate database from the business services firm contains millions of people’s names, work email addresses, phone numbers, and the companies they work for, along with their job titles, ZDNet reports.

Dun & Bradstreet said it owned the database, which it had acquired as part of deal in 2015 to buy NetProspex. An internal investigation showed the firm had not suffered a security breach, meaning the leak could have come from one of its thousands of customers.

The leak affects over 100,000 employees with the Department of Defense, over 88,000 with the US Postal Service, more than 6,000 with AT&T, over 55,000 with Wal-Mart, more than 40,000 with CVS, over 38,000 with the Ohio State University, over 35,000 with Citigroup, more than 34,000 with Wells Fargo Bank, over 34,000 with Kaiser Foundation Hospitals, and over 33,000 with IBM.

The breakdown was entirely US-focused, with California as the most highly represented demographic with over four million records, then New York with 2.7 million records, and Texas with 2.6 million records.

Dun & Bradstreet downplayed the risk to its customers and told ZDNet that the company contains “generally publicly-available business contact data, used for sales and marketing purposes.”

Breach analysts, however, see the massive hack differently.

“Whilst you could piece together parts of the data from information already in the public domain, having it aggregated and so easily searchable in this fashion is enormously valuable,” Troy Hunt said in his blog. Hunt runs a breach notification site Have I Been Pwned, who obtained the database and analyzed the records.

“It also serves as reminder that we’ve lost control of our privacy; the vast majority of people in the data set would have no idea their information is being sold in this fashion and they certainly don’t have control over it.”

It is not known yet, how the data was exposed, and who is to blame for the leak.

The hacked database was used by marketers wanting to direct target their own email campaigns and through other communications methods for current and prospective customers.