KPMG found leaking data, as it criticises every single company in the FTSE 350 for doing the same

BBC Technology correspondent Rory Cellan-Jones contacted me this morning, about a press release that had arrived in his inbox entitled ""Economic growth and national security put at risk as FTSE 350 fail to raise cyber defences, says KPMG".

kpmg-press-release

Just by using public domain sources on the internet, KPMG's team discovered that every single company in the FTSE 350 is leaking data online.

As the press release explains:

"KPMG found that every single company on the list was leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore potentially could be used by hackers. In fact the firm found that, on average, 41 usernames, 44 email addresses and five sensitive internal file locations were available for each company."

Crumbs. Well, that does sound serious.

And it made Rory wonder - just how well does KPMG itself handle this kind of thing?

As I had a spare ten minutes, I thought I would find out for him.

First things first. The press release from KPMG gives the email address of the company's Press Officer, Mike Petrook.

First name, last name

Now I know that KPMG UK uses the email format firstname.lastname@kpmg.co.uk

But even if I didn't have the press release, this would have been easy to find out.

Simon Collins, KPMG's Chairman, helpfully provides his email address (as do fellow members of the executive team) on the company's management page:

Simon Collins

So, we know the format of email addresses used inside KPMG. How on earth are we going to find out the names of KPMG staff to fill in the blanks?

Oh yes..

KPMG staff on LinkedIn

I'm no LinkedIn wizard, but when I searched for users currently employed by KPMG in the UK I found the names of 2,742 people.

So, if I had malice in mind, I could forge my email headers to pretend to be KPMG chairman Simon Collins, and email those 2,742 workers.

KPMGIf I was a fraudster, I could disguise my email to appear as though it were a genuine communication from the chief, perhaps announcing a new employee benefits package, or free iPads to the staff who best keep their desks tidy in the next week.

The point is that I could use social engineering to trick potential victims into, say, visiting a website, installing a piece of malicious code, perhaps phishing users' network username and password and... bingo!

Of course, there's no necessity to email those 2,742 people. It would be easy to be more targeted than that. Perhaps only try to dupe senior members of staff who may have access to particularly sensitive information and communications.

And once I have purloined their network username and password, I might be able to install spyware, or use stolen details to remotely log into KPMG's network and get up to other mischief.

But, in light of KPMG's press release, there is worse than that.

KPMG takes companies to task for sharing sensitive information online. Information which should be kept confidential.

Well, just try googling KPMG's website..

kpmg-confidential

I have no way of knowing if these documents really are confidential or not. But it's clearly embarrassing for KPMG, whose press release warns about companies leaking data online, that they themselves have a whole bunch of documents available for anyone on the internet to read, despite them being marked as "confidential".

I'm not picking on KPMG here. Well, actually I am. After all, it was them who put their head above the parapet with this press release. They might have been wise to get their own house in order first.

The truth is that it's very very hard for any company to keep information such as employees' email addresses and usernames off the internet, and all too easy for documents which should be considered "confidential" to show up in search results.

It may be fun to have a laugh at KPMG's expense today, but the point it was trying to make with its press release was a valid one. If you want to keep your valuable data and intellectual property out of the hands of cybercriminals, you need to run a tight ship.

Read more about "Cyber dangers and glass houses" on Rory's blog.

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

2 Responses

  1. Jack Duncan

    July 24, 2013 at 10:50 am #

    The more I read these stories from you the more I think back to the old ways. Back in the 80's the only way to access any confidential information was on paper or some of the oldest of laptops. I worked for a now defunct major computer manufacturer and our brief cases were randomly searched by 'human' security. (Days of pocket protectors and briefcases) If you were caught with certain categories of documents you could be fired on the spot. As I remember those days it was easier to get the old laptops past security because the security team did not understand them. It was far simpler to defend then today where tentacles can reach every nook and cranny of data. Ah, for the good old days!

    • coyote in reply to Jack Duncan.

      November 26, 2015 at 2:04 am #

      Even then it wasn't that simple. That's not even considering dumpster diving / skip diving which was a huge problem (and arguably it still is). Meanwhile, some corporations did have policies regarding devices leaving and entering their premises. It's always been complicated and it always will be; the difference is how it is complicated (which also will depend on the environment, legal requirements, etc.).

Leave a Reply