Most people will have heard of Dun and Bradstreet (D&B). If you haven't, in a nutshell they are a worldwide data company.
In their words: Our platform’s foundation is the world’s largest commercial database, with over 240 million company records we derive from 30,000 data sources and update 5 million times per day.
D&B allocate companies a "DUNS number" (data universal number system) which is how you know if your business is registered on their database. This number is used to establish a business credit file which is referenced by third parties who can use this data for a variety of reasons, such as lending or the reliability of potential business partners.
Because D&B are so well established, these data sets are referenced by governments around the world. eg, to tender for a UK Government contract, you must have a DUNS number (see below).
Our legal business name that we don't trade under was hi-jacked and used for fraudulent purposes. In essence they utilised our business trading address, name, business number and VAT number to conduct a complex VAT fraud. Apparently we were selling halal meat, dealing in scrap metal to exporting tractors to East Europe.
After a few visits from the HMRC criminal investigation team, we got a clean bill of health and I spent considerable time asking hosting providers to take down fake websites that had been set up in our Ltd company name.
But the most surprising aspect that only came to light very recently was that our DUNS number had also been hi-jacked which gave the original fraud the credibility it needed. Our D&B listing had been amended without our knowledge to a fake web address and a telephone number with a Bristol area code. As our address remained the same and Warwickshire based, it wouldn't take too much due diligence to see that this was a little odd.
Contacting D&B was very straightforward and the customer services contact couldn't have been any more helpful, happily changing our details straight away and ensuring me the correct details were indeed live on their system.
After putting the phone down, I suddenly realised how simple the whole process had been and at no point had I been asked for any verifying information other than giving my public DUNS number. I phoned back to make a further amendment and challenged the ease of how updates seemed to be made, asking how the customer service person knew I was who I actually said I was?
After some waffle about due diligence checks are carried out before any amendments are made, I was also assured an alert would be placed on my account and moving forward, I would be notified of any changes to my details.
How we found out
Although the hi-jacking of our business name happened a while ago and has long since been resolved, we never realised the D&B listing had been compromised. It came to light when we ordered a website security certificate for a new website we are launching.
The certificate shows up in your web browser and tells the world that your website is secure and a website visitor has the confidence you are who you say you are. The web address will show as https and you should see a padlock symbol. As an example, below is how the certificate is displayed for this site using a Google Chrome browser.
The SSL provider we have utilised for our new website are www.comodo.com and they use D&B as an authentication source to ensure you are who you say you are, before issuing a website certificate. In our case they questioned the fact that our telephone number was different on our D&B listing. Explaining it was a scam number and not even the correct area code to our business address held little sway with the overseas call centre. The Comodo response was that they took the information from the D&B listing, if these details were wrong, then you had to get these details amended by D&B. Once the correct details were visible, then Comodo would issue a certificate.
In light of how easy it was to edit the D&B listing, this itself is even more worrying as it brings into question the confidence of SSL certificates and website security in general, showing how easy it is for potential abuse.
The whole experience has left me feeling a little uncomfortable, as we seem to live in an age where data breaches seem to become ever more frequent. The D&B approach to data amendments seems a little sloppy in light how and who uses this data for reference purposes.
If you have a DUNS number, it might be worth phoning up and confirming your details. It won't cost you anything and you can request that they send you a PDF of the data they hold on you so you can double check it. Maybe even ask if they can lock your details and alert you if any changes are made.
You can contact them by calling 0845 145 1700 or emailing email@example.com
Come on D&B, maybe start doing this as the norm. If you have our details, then tell us when they are being amended, even just a simple email confirmation link.