Last month, Brian Krebs revealed that SSNDOB, an identity theft service, operated a botnet that tapped into some of the biggest databases in the country to get the information they sold. One of those firms was Dun & Bradstreet:
Two other compromised systems were located inside the networks of Dun & Bradstreet, a Short Hills, New Jersey data aggregator that licenses information on businesses and corporations for use in credit decisions, business-to-business marketing and supply chain management. According to the date on the files listed in the botnet administration panel, those machines were compromised at least as far back as March 27, 2013.
Today, Dun & Bradstreet uploaded a copy of a notification letter they are sending to people. It reads, in part:
We are writing to inform you of an incident that may have involved your personal information. Dun & Bradstreet (D&B), a provider of business information, recently learned that it was one of several victims of a criminal cyberattack.
Based on our investigation of the incident to date, we believe the attack primarily occurred during a fifteen (15)day period in March and April 2013 and potentially resulted in unauthorized access to our environment, including one of our commercial information databases. The potentially exposed information is generally available from public sources. In some circumstances this information may have included certain personal information provided in a business context. This letter has not been delayed by a law enforcement investigation.
D&B is actively investigating the matter and is working with law enforcement. We have identified you as one of the individuals whose personal information may be at risk. Based on the facts known to the company at this time, the personal information in the database included your name and a business identification number that may have also been your social security number.
I don’t know if Dun & Bradstreet has thanked Brian Krebs, but it appears that they should be thanking him for making him aware of a breach they may not have discovered on their own.
Update: They also reported the breach to New Hampshire, where 277 residents were notified.