Cyber dangers and glass houses

fingers on a keyboard

It was marked "URGENT" and promised shocking news about risks to our national security and economy from poor cyber defences.

The email from the accountancy firm KPMG said its survey of British firms showed they were leaking data on an alarming scale. But I'm afraid it awoke my inner mischief-maker - and set me wondering just how secure was KPMG itself.

The company said its cyber response team had examined public data from every FTSE 350 firm to see if they were vulnerable to attackers. They found that every single one of them was leaking email addresses, employee usernames and sensitive file locations - the sort of material that would make the work of hackers a lot easier

But is it possible to leave no trace online that cyber attackers might exploit? To answer this, I recruit my own cyber response team in the form of the security blogger Graham Cluley and ask him to take a look at KPMG's own online public presence. Within minutes he reports back.

"We know from the press release," he tells me, "that KPMG's email format is Go to LinkedIn, search for KPMG UK employees. I'm seeing 2742 results at the moment.

Start Quote

Oh dear - documents marked 'confidential' ”

End Quote Graham Cluley, security blogger

"I could email those 2742 employees, forging my email address to be the chairman of KPMG. He helpfully gives his email address on the company website.

"The email could say something like 'Great news team! We have launched a new KPMG intranet at (insert dangerous link here). Simply login with your usual network username and password to get the new great content... blah blah' and chances are that I would phish some of the KPMG team.

"Of course, it would be easy to be more targeted than that. Once I have the network username and password, I might be able to install spyware, or use stolen details to remotely log into their network or get up to other mischief."

A little later, he comes back with another discovery: "Oh dear - documents marked 'confidential' on KPMG's website, accessible via a simple Google search." He encloses a screen grab, with a list of documents, one marked:

"This document is CONFIDENTIAL and its circulation and use are RESTRICTED under the terms of KPMG's engagement letter"

Now KPMG is not doing anything that just about every other organisation on the planet does, and I am sure that its employees are well-versed in spotting the kind of phishing attack that Mr Cluley describes. But it might be better to check your own defences before sending out shocking reports about the state of other companies.

When I ask KPMG to comment, the company says:

"As you might expect, KPMG put its own site through the same examination as we did other sites. We recognise that many websites provide some level of data leakage and with this in mind, the purpose of our report is to highlight concerns so they can be dealt with, rather than highlight individual weak spots. We were careful not to reveal specific weaknesses of any company as it would be inappropriate to do so."

Rory Cellan-Jones Article written by Rory Cellan-Jones Rory Cellan-Jones Technology correspondent

Kickstarter - now just a store?

How Pebble's new smartwatch is taking Kickstarter by storm

Read full article

More on This Story

More from Rory


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 96.

    Working in IT it's common to find that the higher up the management tree you get the more the more access the individual expects. In most cases this is exactly the opposite of what is required but 'Access' is seen as a surrogate for 'Status'. I have seen many IT managers overruled by the MD on this basis.

  • rate this

    Comment number 95.

    In many large corporations the higher one goes the less people know about the detail but the more power they have to change things. So the expert at the bottom can often see the problems but has no power to change anything. The guy at the top has the power but doesn't know anything is amiss. KPMG type reports have a value if they trigger the man at the top to speak to the expert at the bottom.

  • rate this

    Comment number 94.

    well what do u expect when u put stuff in the cloud? it rains, at best.
    back to basics. dont connect important computers to the internet; certainly dont leave them connected 24/7.

  • rate this

    Comment number 93.

    Almost a quarter of a century in IT has taught me the value of one of the industry's many acronyms: PICNIC

    Problem In Chair, Not In Computer.

    As the old phrase goes, a chain is only as strong as it's weakest link! Once the industry's management realise this, costs can be identified and addressed. They also need to differentiate between "cost" and "value".

    Sadly UK management usually don't!

  • rate this

    Comment number 92.

    Sum it up in one word:- PRISM!


Comments 5 of 96



Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.