Euro Security Watch with Mathew J. Schwartz

Breach Notification , Data Loss Prevention (DLP) , Governance & Risk Management

Yes, I Have Been Pwned

Dun & Bradstreet: The Marketing List Curator Who Pwned Me
Yes, I Have Been Pwned

With apologies to Troy Hunt, the last thing you want to see as you're having your first cup of coffee and scanning the interwebz for the latest and greatest cat video is an alert from his Have I Been Pwned? service.

See Also: 5 Requirements for Modern DLP

If the free data breach notification service emails you, it means the email address that you've registered has been found in a data dump, often with a large helping of much more of your personally identifiable information, not to mention passwords or other sensitive details.

I've been pwned.

My personal pwnage.

My information was included in a dump of 33.7 million records collected by marketing list curator NetProspex, which publicly traded business services firm Dun & Bradstreet acquired in 2015 for $125 million.

Using the email addresses, Hunt indexed all of the affected individuals' places of work - NetProspex is U.S.-focused - to provide a count of which organizations have the most employees affected by this breach:

  1. U.S. Department of Defense: 101,013
  2. U.S. Postal Service: 88,153
  3. AT&T: 67,382
  4. Wal-Mart stores: 55,421
  5. CVS: 40,739
  6. The Ohio State University: 38,705
  7. Citigroup: 35,292
  8. Wells Fargo Bank: 34,928
  9. Kaiser Foundation Hospitals: 34,805
  10. IBM: 33,412

I've reached out to Dun & Bradstreet via Twitter and email for more details about the breach, as well as its notification plans for victims. If I hear back, I'll update this post.

Thanks to Hunt, however, we at least know that this information has been circulating, apparently for the past six months.

Losing Control

The breach demonstrates how "people have lost control of their data," Hunt says in a March 15 blog post.

In a comment to his blog in response to a breach victim's queries, he says that while he doesn't know what Dun & Bradstreet is required to do legally, ethically speaking "if they're curating marketing lists containing data of tens of millions of people just like you, then you should have every right to both request what information they have on you *and* request that they remove it if desired."

I've also queried Dun & Bradstreet to ask if they will be furnishing a copy of all information they collect on an individual to that individual, and allowing them to make corrections or honor requests for deletion.

ZDNet's Zack Whittaker, who worked with Hunt to research the leaked data in advance of it being added to Have I Been Pwned, says Dun & Bradstreet would communicate about the information exposure with him only via this statement: "We've carefully evaluated the information that was shared with us and it is of a type and in a format that we deliver to customers every day. Based on our analysis, it was not accessed or exposed through a Dun & Bradstreet system."

Expect Notification, Not Justice

As a reporter, I've been tracking data breaches and related privacy and notification laws since California passed its pioneering S.B. 1386, which took effect in July 2003, when I was living in the United States. And I've continued to follow related developments as breach notification laws have spread to most other states. That's no thanks to Congress, which can't seem to get it together to pass a national breach-notification law. Meanwhile, such laws have also popped up around the world, including the new General Data Protection Regulation in Europe, where I live now.

As a consumer, one of the worst aspects of data breaches for me is the seeming inability to do anything about it. Indeed, my first breach notification arrived in 2010, courtesy of the Internal Revenue Service. In addition to collecting my U.S. taxes, the agency went the extra mile and managed to expose my personal information as well.

On the upside, thanks to states' breach-notification laws, that federal agency was legally required to alert me, which is good - at least I knew.

More Organizations Do Take Responsibility

Thanks to breach notifications, more organizations are now feeling compelled to come forward, whatever the legal requirements. "I think the big media attention that we get over these incidents has made a big difference," Hunt told me at last month's RSA Conference in San Francisco. "Rightly or wrongly, the press exposure does force the hand of these organizations to disclose and to take responsibility for these hacks."

Don't, however, expect much more than being notified when your personal data has been exposed. For good or bad, most U.S. data breach lawsuits fail because plaintiffs can't prove "injury," since most courts narrowly define "harm" in terms of financial loss. Of course, losses from payment card breaches are typically covered in full by card issuers.

But that overlooks the sense of powerlessness that breach victims can feel, as well as the risk that your information might be used for identity theft at any point in the future, especially if Social Security numbers or other personally identifiable information gets exposed. When that happens, consumers are left to clean up the mess, and it's a time-consuming and demoralizing situation to be in.

Meanwhile, organizations such as Dun & Bradstreet continue to profit off of our personal information, and face few - if any - repercussions if the information they collect, consolidate and cross-reference gets exposed. At that point, instead of ostensibly legitimate organizations paying to acquire your details, spammers or cybercriminals may get easy access to it as well.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.