BBC Technology correspondent Rory Cellan-Jones contacted me this morning, about a press release that had arrived in his inbox entitled “”Economic growth and national security put at risk as FTSE 350 fail to raise cyber defences, says KPMG”.
Just by using public domain sources on the internet, KPMG’s team discovered that every single company in the FTSE 350 is leaking data online.
As the press release explains:
"KPMG found that every single company on the list was leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore potentially could be used by hackers. In fact the firm found that, on average, 41 usernames, 44 email addresses and five sensitive internal file locations were available for each company."
Crumbs. Well, that does sound serious.
And it made Rory wonder – just how well does KPMG itself handle this kind of thing?
As I had a spare ten minutes, I thought I would find out for him.
First things first. The press release from KPMG gives the email address of the company’s Press Officer, Mike Petrook.
Now I know that KPMG UK uses the email format email@example.com
But even if I didn’t have the press release, this would have been easy to find out.
Simon Collins, KPMG’s Chairman, helpfully provides his email address (as do fellow members of the executive team) on the company’s management page:
So, we know the format of email addresses used inside KPMG. How on earth are we going to find out the names of KPMG staff to fill in the blanks?
I’m no LinkedIn wizard, but when I searched for users currently employed by KPMG in the UK I found the names of 2,742 people.
So, if I had malice in mind, I could forge my email headers to pretend to be KPMG chairman Simon Collins, and email those 2,742 workers.
If I was a fraudster, I could disguise my email to appear as though it were a genuine communication from the chief, perhaps announcing a new employee benefits package, or free iPads to the staff who best keep their desks tidy in the next week.
The point is that I could use social engineering to trick potential victims into, say, visiting a website, installing a piece of malicious code, perhaps phishing users’ network username and password and… bingo!
Of course, there’s no necessity to email those 2,742 people. It would be easy to be more targeted than that. Perhaps only try to dupe senior members of staff who may have access to particularly sensitive information and communications.
And once I have purloined their network username and password, I might be able to install spyware, or use stolen details to remotely log into KPMG’s network and get up to other mischief.
But, in light of KPMG’s press release, there is worse than that.
KPMG takes companies to task for sharing sensitive information online. Information which should be kept confidential.
Well, just try googling KPMG’s website..
I have no way of knowing if these documents really are confidential or not. But it’s clearly embarrassing for KPMG, whose press release warns about companies leaking data online, that they themselves have a whole bunch of documents available for anyone on the internet to read, despite them being marked as “confidential”.
I’m not picking on KPMG here. Well, actually I am. After all, it was them who put their head above the parapet with this press release. They might have been wise to get their own house in order first.
The truth is that it’s very very hard for any company to keep information such as employees’ email addresses and usernames off the internet, and all too easy for documents which should be considered “confidential” to show up in search results.
It may be fun to have a laugh at KPMG’s expense today, but the point it was trying to make with its press release was a valid one. If you want to keep your valuable data and intellectual property out of the hands of cybercriminals, you need to run a tight ship.
Read more about “Cyber dangers and glass houses” on Rory’s blog.