Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy United States

Millions of Records Leaked From Huge US Corporate Database (zdnet.com) 66

Millions of records from a commercial corporate database have been leaked. ZDNet reports: The database, about 52 gigabytes in size, contains just under 33.7 million unique email addresses and other contact information from employees of thousands of companies, representing a large portion of the US corporate population. Dun & Bradstreet, a business services giant, confirmed that it owns the database, which it acquired as part of a 2015 deal to buy NetProspex for $125 million. The purchased database contains dozens of fields, some including personal information such as names, job titles and functions, work email addresses, and phone numbers. Other information includes more generic corporate and publicly sourced data, such as believed office location, the number of employees in the business unit, and other descriptions of the kind of industry the company falls into, such as advertising, legal, media and broadcasting, and telecoms.
This discussion has been archived. No new comments can be posted.

Millions of Records Leaked From Huge US Corporate Database

Comments Filter:
  • fast solution (Score:5, Insightful)

    by supernova87a ( 532540 ) <kepler1.hotmail@com> on Wednesday March 15, 2017 @01:44PM (#54045223)
    $1 penalty per leaked / stolen record, imposed by the FTC/SEC/SSA/CFPB will quickly remedy this problem. As long as the value of private personal information is intangible, the value it will be assigned in companies' risk assessments and capital plans is $0.

    But I guess that would be a burdensome regulation under our new regime.
    • Re:fast solution (Score:5, Insightful)

      by Bob the Super Hamste ( 1152367 ) on Wednesday March 15, 2017 @01:51PM (#54045275) Homepage
      Personally I would like it to be $10 per record paid to the person who the record is on. If it record contained some critical info like SSN or last 4 digits of SSN then make it $1000 per record. Granted those values don't actually cover the cost of the impacted individual in dealing with these situations (hey we leaked your SSN, mother's maiden name, and first pet's name so now you get to deal with fraud committed by others for the rest of your fucking life) but it would go a long way to ensuring that companies take some measures to actually protect personal data.
    • by raymorris ( 2726007 ) on Wednesday March 15, 2017 @01:59PM (#54045355) Journal

      > $1 penalty per leaked / stolen record

      The average cost to a company that's breached is already well over $1 per record, so no that doesn't "quickly remedy this problem". It IS slowly getting things fixed. A lot of companies have a Chief Security Officer now, a C-suite executive responsible for security. That wasn't the case ten years ago.

      The issue is, the likelihood of a major breach is low (for each conpany). People, including executives, aren't good at reasoning about unlikely events. On the other hand, insurance companies are very good at it. Risk assessment and risk reduction is their business and they've gotten quite good at it. Insurance companies created the fire code, UL labs, etc to reduce the risk of fire. They hold companies responsible for properly mitigating all kinds of risks, as a condition of issuing insurance. The cost of the insurance, which shows up on the balance sheet, is based on the risk-reduction methods that the insured uses. (Just like installing monitored fire and burglary alarms reduces the cost of your homeowners insurance). I think we'll see a major shift in information security when the insurance companies get more involved, requiring companies they insure to follow certain standards.

    • by pr0t0 ( 216378 )

      This. 100% this. It encourages a "store less, protect more" ethos. So if you're a company that really wants to make storing/selling demographic data your business model (ie marketing / telephone sanitizers), you'll protect the hell out of that database. It also discourages fly-by-night companies with no security-dna to start that type of business.

      I would add levels of pain. Name and address? That's mostly publicly available; small fine. SSN, CCN, pins or passwords? You had better have a good reason for stor

    • Companies spend some dollars on security to comply with audits and 1) know they are going to get owned (due to having their data managed on servers all over planet earth) 2) know they have a risk rider on their insurance. If the government wants to get in their face, they can just point to the CIA Vault#7 leak and if they haven't heard about that, they can point to the DNC email server.

      Security is officially and illusion. Even the high-end "super secure" stuff is owned by the CIA, so what are you going to

    • The problem with that approach here is that the government required you to register with Dun & Bradstreet if you wanted to bid on government contracts. When I worked at a hotel, I had to register us with them because a military group wanted to stay at our hotel for a retreat, and they required us to bid on the contract.

      So any penalty imposed on them would just end up being paid for by the government via higher fees, and/or higher contract bid prices.
    • $1 penalty per leaked / stolen record, imposed by the FTC/SEC/SSA/CFPB will quickly remedy this problem. As long as the value of private personal information is intangible, the value it will be assigned in companies' risk assessments and capital plans is $0.

      I wish that penalties like this would spur them to keep my data safe, but it won't. At best it *might* make them try a little harder but I'm afraid the fact is that nothing will keep our data safe from those who want it.

      The CIA, NSA, FBI....they all get hacked. Everyone gets hacked. There's no preventing it as far as I can tell. The attack surface is so large and there are so many potential points and methods of entry, it's a losing battle. That doesn't mean you should take precautions but if "they" want yo

  • Wonder if it will drive down the price of marketing data from other firms knowing that there is a set of data out there. It will go out of date eventually, but even old data can be good for updating.
    • well, since my e-mail was in the db (https://haveibeenpwned.com/) I would love a copy of it...
      Anyone have a link to it?

  • "...more generic corporate and publicly sourced data, such as believed office location, the number of employees in the business unit, and other descriptions of the kind of industry the company falls into, such as advertising, legal, media and broadcasting, and telecoms."

    The word you're looking for is 'client list' . (damn, that's 2 words)

  • Just remember; focus on the 'scary hackers' side of the story; not the 'the data were already aggregated and available, and presumably in use, well before the leak occurred' aspect.

    As long as giant databases remain in respectable hands, no harm can come of them; so just worry about whether it was a nation-state actor or an 'advanced persistent threat'. Nothing else to see here.
  • I did a haveibeenpwned check against our domain name and a couple of fake email addresses showed up in the NetProspex leak. These were email addresses that have never existed. Plus, none of our actual email addresses were in the leak.

    This may be a list of 33.7 million mostly fake or SPAM email addresses. Just sayin'.

  • by JustAnotherOldGuy ( 4145623 ) on Wednesday March 15, 2017 @02:16PM (#54045505) Journal

    From http://www.dnb.com/utility-pag... [dnb.com]

    "Data Security: Dun & Bradstreet applies appropriate technical, physical, and administrative Data security measures to protect Data against unauthorized access and disclosure."

    Except when they don't....

    Also, (farther down the page): "Dun & Bradstreet does not respond to Do Not Track Signals."

  • by ErichTheRed ( 39327 ) on Wednesday March 15, 2017 @02:29PM (#54045607)

    If I were a thief, the thing I'd try attacking is the increasing use of federated identity, and hit those targets with everything I had...social engineering, zero-days, finding soft spots where cut-rate consulting firms left the door open, the works. In the new cloudy world of abstracted everything, companies are finding it easier to rely on a few identity providers..."log in using Facebook" and the like. In the Microsoft, Google and Amazon iterations of this (MS account, Azure AD, Google Account, Amazon Identity Management,) companies are using third parties to handle authentication to their resources (at least on the web.) This means that the identities are slowly being consolidated to a few providers on the corporate side. Anyone using Office 365 in an organization likely has their credentials synchronized up to Azure AD, for example, so they can use the web apps like Outlook and Skype.

    OAuth and the like set up a very strong environment, but it's still just an identity database under the hood. Even if the provider has no idea what your password is, a hash of it is being stored somewhere...otherwise you wouldn't be able to authenticate. If anyone ever comes up with an easy way to break this, then everyone's going to be in for a round of password changes and free credit monitoring. Getting someone's corporate credentials gives thieves a lot more access than stealing one database.

    • by sl3xd ( 111641 )

      If anyone ever comes up with an easy way to break this, then everyone's going to be in for a round of password changes and free credit monitoring.

      You mean like the Ashley Madison hack [schneier.com], where the hackers found a weakness in the implementation of bcrypt, and were able to compute user passwords in "Hollywood time"?

      The bottom line there is that, like encryption, non-experts shouldn't develop their own implementations of a password hash. (Similar to "non-experts shouldn't implement encryption").

      With a good imple

  • It can't be copyrighted, and it is not (any longer) private information either... Is there a torrent or something?

  • See, when government agencies get hacked it's "well, government can't do ANYTHING right! See?" and when it's a private company, the response is "oh, yeah. Happens all the time. They really need to tighten up security...".
  • The purchased database contains dozens of fields, some including personal information such as names, job titles and functions, work email addresses, and phone numbers. Other information includes more generic corporate and publicly sourced data, such as believed office location, the number of employees in the business unit, and other descriptions of the kind of industry the company falls into, such as advertising, legal, media and broadcasting, and telecoms.

    So... pretty much the exact same information you can get by viewing someone's LinkedIn profile?

"Life sucks, but death doesn't put out at all...." -- Thomas J. Kopp

Working...