A corporate database originating from business services firm Dun & Bradstreet has leaked online, compromising the contact details of more than 33 million people on the payroll at some of the country’s largest businesses and government organizations including AT&T, Walmart, Wells Fargo, the United States Postal Service and even the Department of Defense.
Security researcher Troy Hunt from Have I Been Pwned? worked with Zack Whittaker of ZDNet to get to the bottom of the matter. In analyzing a 52.2GB CSV file containing JSON data, Hunt found a total of 33,698,126 records containing detailed contact information including first and last names, job titles, e-mail addresses, phone numbers, employers, job functions and more.
The data, described as “very corporate” and “perfect” by Hunt, is limited to those working in the US. The top 10 entities on the list according to Hunt are as follows:
DOD Cce : 101,013
United States Postal Service : 88,153
AT&T Inc. : 67382
Wal-Mart Stores, Inc. : 55,421
CVS Health Corporation : 40,739
The Ohio State University : 38,705
Citigroup Inc. : 35,292
Wells Fargo Bank, National Association : 34,928
Kaiser Foundation Hospitals : 34,805
International Business Machines Corporation : 33,412
Hunt and Whittaker were able to confirm that the data is indeed from Dun & Bradstreet and that it is database information that they sell to clients (for marketing purposes). That said, Dun & Bradstreet said they don’t believe the data came directly from one of their systems. With thousands of customers purchasing from the data set, it could be next to impossible to learn who ultimately leaked it – intentionally or not.