Once data is given away, it becomes difficult to know what happens to it and even more difficult to control what is done with it. There are global services that specialize in collecting and curating vast amounts of personal data and finding ways to use the information in targeted marketing schemes or other programs.
But even the companies that collect and sell this information do not have full visibility or control over the data they’ve released to customers. A troubling fact highlighted by the recent incident involving Dun & Bradstreet (D&B), a company that provides data and insight to 90% of the Fortune 500™.
According to reports, the leaked D&B database contains data on 33.7 million unique individuals, with information that includes email addresses, job titles, employment details and more. The leak affects a sizeable chunk of corporate America as well as military organizations. The companies with the most employees in the data set are: The Department of Defense, the US Postal Service and AT&T Inc. Notable companies impacted are Wal-Mart, Citigroup, Wells Fargo and IBM to name a few.
D&B confirmed that the data belongs to them as part of a “rental file” sold to marketers for email campaigns. The information had apparently been sold to “thousands” of other firms, meaning there is no way to confirm how many times it has been shared or accessed. The company maintains that their systems were not exposed, and in all probability the leak came from one of their customers. They also highlighted the fact that there was no personal identifiable information (PII) revealed in the leak, and the information is already more than 6 months old.
Tracking and controlling information
The number of employees affected by this breach, the details obtained, and the companies involved, show a more sophisticated level of data collection. The data in commercial databases is of a higher quality than leaked databases that are compiled from stolen social media accounts—many of which are humorous and contain fake names or email accounts. D&B maintains that it has the largest commercial database on the planet, with more than 30,000 data sources. Of course, the sources for these collections can vary, but it’s not unusual for internet users to give away personal information—from emails to job titles and more—when asked to by online services or social media sites.
As early as 2013, we were wary about data collection and maintained that opting out of it should be a choice given to any user. Once personal information is entered into a database, it becomes nearly impossible to track where it goes or who has access to it. A sample of the leaked D&B database from recent reports shows that the information (email address, company address, company phone, etc.) are routinely requested by sign-up pages for websites and online services.
Moving forward and managing a commercial database leak
Information security is growing more complicated and should start shifting from internal strategies to more collaborative policies. All relevant internal parties should be involved—from IT to legal, procurement and others—to manage security and create a solid risk management program. And this should also include business partners that are valuable to the company. Companies also have to secure their IT supply chain, since external providers will have access to valuable company data, and can be tempting targets for the diverse data they store for various customers. A joint security effort is beneficial for everyone involved.
We have also reached a point where companies have to operate under the assumption that they and their employees have already been compromised. Security measures have to be updated against attacks that might utilize previously stolen user information, such as sophisticated social engineering scams and phishing attacks. Attackers can also use leaked data to create more tailored emails and target high-ranking individuals in the company—the more information an attacker has, the better lure they can create to attract and entrap victims. Employees should be made aware of the risks and the attack methods used by cybercriminals, and manage their personal data privacy.
Lawmakers, enterprises, and individuals are all invested in finding a solution for data collection and data privacy problems. The General Data Protection Regulation (GDPR) is set to be enforced in the EU on May 2018 and when in effect, will hold enterprises more responsible for guarding the data they collect and store. But while this is a step in the right direction, enterprises have to stay ahead of the curve—responsibly ensuring the security of their data, as well as the personal information of all their customers and employees.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).