Cyber Incident Victim: Dun & Bradstreet
Date:
Mar 2017
Location:
United States of America
Summary
A commercial database containing millions of records from a business services giant was leaked, exposing nearly 33.7 million unique email addresses alongside employee names, job titles, phone numbers, and corporate details such as office locations and industry classifications. The compromised data, primarily used for marketing purposes, included sensitive personal identifiable information that could facilitate phishing or other malicious activities. Analysis revealed 14% of exposed email addresses had previously appeared in other breaches. The company asserted the data consisted of publicly available business contact information and maintained compliance with privacy regulations, though it acknowledged occasionally collecting more sensitive data unintentionally. Security experts emphasized the irreversible exposure risks to affected individuals, highlighting concerns over data privacy and control.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 4 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 14, 2017, security researcher Troy Hunt identified a significant data exposure involving a 52GB commercial database containing approximately 33.7 million unique email addresses and associated corporate contact information. The database, owned by business services firm Dun & Bradstreet, originated from their 2015 acquisition of marketing data company NetProspex for $125 million. Records included personal identifiable information such as employee names, job titles, work email addresses, and phone numbers, alongside corporate descriptors like office locations, industry classifications (advertising, legal, media, telecom), and business unit sizes. Marketed for sales outreach, the data was typically sold in bulk or segmented categories, with historical pricing indicating access to 500,000 records could cost up to $200,000. Hunt obtained the exposed dataset and integrated it into his breach notification service, Have I Been Pwned, enabling public searches for compromised emails. Analysis revealed 14% of the email addresses matched existing entries in Hunt’s breach repository, suggesting prior exposures. The origin method of the leak remained undetermined at the time of reporting.
Geographic analysis showed all records pertained to U.S. entities, with California (over 4 million records), New York (2.7 million), and Texas (2.6 million) as the most affected regions. Government organizations were prominently represented, including the Department of Defense (101,013 records) and the U.S. Postal Service (88,153 records). Dun & Bradstreet characterized the data as “generally publicly available business contact information” used for marketing, asserting minimal risk to individuals. Hunt countered that the combination of names, job titles, email addresses, and employer details constituted sensitive personal information exploitable for targeted phishing campaigns. The company acknowledged occasional inadvertent collection of sensitive data but maintained compliance with U.S. privacy regulations. Affected individuals had no recourse to remove their information from circulation once exposed. The incident underscored persistent challenges in third-party data management and the scalability of privacy risks in commercially aggregated datasets.