Dit is een interessant datalek. Niet alleen door de hoeveelheid data die gelekt werden. Maar vooral door het feit dat de data gelekt werden bij een commercieel bedrijf dat de databank in 2015 heeft overgekocht en dat het bedrijf in kwestie blijkbaar geen graten ziet in het datalek.
Millions of records from a commercial corporate database have been leaked. The database, about 52GB in size, contains just under 33.7 million unique email addresses and other contact information from employees of thousands of companies, representing a large portion of the US corporate population. Dun & Bradstreet, a business services giant, confirmed that it owns the database, which it acquired as part of a 2015 deal to buy NetProspex for $125 million. The purchased database contains dozens of fields, some including personal information such as names, job titles and functions, work email addresses, and phone numbers. Other information includes more generic corporate and publicly sourced data, such as believed office location, the number of employees in the business unit, and other descriptions of the kind of industry the company falls into, such as advertising, legal, media and broadcasting, and telecoms. This entire database is used for marketers who want to directly target their own email campaigns and through other communications methods for current and prospective customers.
Voor Dun & Bradstreet is er weinig aan de hand.
Dun & Bradstreet downplayed the risk to its customers and those it collects data on. The company said that the data contains “generally publicly available business contact data, used for sales and marketing purposes.” They added that the data was approximately six months old and the bulk data had been sold to “thousands” of other firms.
Troy Hunt van Have I Been Pwned heeft daar duidelijk een andere mening over.
When you have someone’s first and last names, their job title and their email address along with the company they work for, you have personal identifiable information. And that’s really what makes this a highly volatile collection of data; this much personal information on this many people and set in the context of their professional roles poses numerous risks to the organizations involved here. This kind of data can be used by marketers, but it can also be used by nefarious actors who target victims for malicious gain.
It’s an absolute goldmine for phishing because here you have a huge amount of useful information from which to craft attacks. From this data, you can piece together organizational structures and tailor messaging to create an air of authenticity and that’s something that’s attractive to crooks and nation-state actors alike.
En de belangrijkste boodschap van Troy Hunt is toch wel deze:
Whilst you could piece together parts of the data from information already in the public domain, having it aggregated and so easily searchable in this fashion (…) also serves as a reminder that we’ve lost control of our privacy; the vast majority of people in the data set would have no idea their information is being sold in this fashion and they certainly don’t have any control over it.
— Bron: ZDNet