A corporate database originating from business services firm Dun & Bradstreet has leaked online, compromising the contact details of more than 33 million people on the payroll at some of the country’s largest businesses and government organizations including AT&T, Walmart, Wells Fargo, the United States Postal Service and even the Department of Defense.
Security researcher Troy Hunt from Have I Been Pwned? worked with Zack Whittaker of ZDNet to get to the bottom of the matter. In analyzing a 52.2GB CSV file containing JSON data, Hunt found a total of 33,698,126 records containing detailed contact information including first and last names, job titles, e-mail addresses, phone numbers, employers, job functions and more.
The data, described as “very corporate” and “perfect” by Hunt, is limited to those working in the US. The top 10 entities on the list according to Hunt are as follows:
- DOD Cce : 101,013
- United States Postal Service : 88,153
- AT&T Inc. : 67382
- Wal-Mart Stores, Inc. : 55,421
- CVS Health Corporation : 40,739
- The Ohio State University : 38,705
- Citigroup Inc. : 35,292
- Wells Fargo Bank, National Association : 34,928
- Kaiser Foundation Hospitals : 34,805
- International Business Machines Corporation : 33,412
Hunt and Whittaker were able to confirm that the data is indeed from Dun & Bradstreet and that it is database information that they sell to clients (for marketing purposes). That said, Dun & Bradstreet said they don’t believe the data came directly from one of their systems. With thousands of customers purchasing from the data set, it could be next to impossible to learn who ultimately leaked it – intentionally or not.