BBC Technology correspondent Rory Cellan-Jones contacted me this morning, about a press release that had arrived in his inbox entitled "Economic growth and national security put at risk as FTSE 350 fail to raise cyber defences, says KPMG".
Just by using public domain sources on the internet, KPMG's team discovered that every single company in the FTSE 350 is leaking data online.
As the press release explains:
"KPMG found that every single company on the list was leaking data by leaving employee usernames, email addresses and sensitive internal file location information online, and therefore potentially could be used by hackers. In fact the firm found that, on average, 41 usernames, 44 email addresses and five sensitive internal file locations were available for each company."Crumbs. Well, that does sound serious.
And it made Rory wonder - just how well does KPMG itself handle this kind of thing?
As I had a spare ten minutes, I thought I would find out for him.
First things first. The press release from KPMG gives the email address of the company's Press Officer, Mike Petrook.
Now I know that KPMG UK uses the email format firstname.lastname@kpmg.co.uk
But even if I didn't have the press release, this would have been easy to find out.
Simon Collins, KPMG's Chairman, helpfully provides his email address (as do fellow members of the executive team) on the company's management page:
So, we know the format of email addresses used inside KPMG. How on earth are we going to find out the names of KPMG staff to fill in the blanks?
Oh yes..
I'm no LinkedIn wizard, but when I searched for users currently employed by KPMG in the UK I found the names of 2,742 people.
So, if I had malice in mind, I could forge my email headers to pretend to be KPMG chairman Simon Collins, and email those 2,742 workers.
If I was a fraudster, I could disguise my email to appear as though it were a genuine communication from the chief, perhaps announcing a new employee benefits package, or free iPads to the staff who best keep their desks tidy in the next week.
The point is that I could use social engineering to trick potential victims into, say, visiting a website, installing a piece of malicious code, perhaps phishing users' network username and password and... bingo!
[...]