33M government, corporate employee records leaked from DUNS database


A 52 gigabyte corporate database, acquired by business management consultants Dun & Bradstreet in 2015, has been leaked online, exposing personal information of nearly 34 million individuals, including Department of Defense and U.S. Postal Service employees.

As reported by BBC News and ZDNet, among others, Troy Hunt first published news of the leak on his blog troyhunt.com.

Names, job titles and functions, work email addresses and phone numbers, as well as generic corporate and publicly sourced data are included in the collated records. This contact information could be used to outline organizational structures, tailor messages for phishing campaigns and execute malicious activities to procure far more sensitive data.

The CSV file was originally compiled for marketers by NetProspex, the company Dun & Bradstreet acquired. In the fields, which represent exclusively United States data, are more than 100,000 DoD entries and over 88,000 Postal Service entries. The Army, Air Force and Dept. of Veterans Affairs are all featured in the records.

“Our personal data is constantly at risk for being exposed by cybercriminals — and marketers alike,” commented Brian Vecci, tech evangelist at security software company Varonis. “All this personal identifiable information in one place makes it easy for those with malicious intent to develop targeted whale phishing campaigns and W-2 BEC scams — like the ones that have already compromised over 120,000 U.S. taxpayers this year.”

Hunt has incorporated the information assets into his website haveibeenpwned.com, which allows people to determine via email address if they are included in the breach.