Research by global IT security company ImmuniWeb showed that 97% of cybersecurity firms had faced data leaks on the Dark Web and that a significant number of these happened in August. This shows that even Cybersecurity companies, those designed to protect consumer assets, are not safe from cyberattacks.
The research included 398 companies headquartered in 26 countries, mostly the US and Europe. Out of these, only those from Switzerland, Portugal, and Italy did not suffer from damage to critical data.
More than 600,000 verified data leaks were observed in the research, and almost a quarter of these were of high or critical level. This amounts to more than 1,500 stolen credentials and other data leaks from every firm.
Lousy security procedure was the primary cause for the high number of leaks. Employees using weak passwords – less than 8 characters, using only numbers, not using lower and upper cases, not using symbols, etc – are the prime culprits in this research.
Use of professional email addresses on adult video sites or adult dating sites was another important cause of the leaks. This allows third parties to access company credentials and opens up avenues for trojan horses (like Qbot and Emotet) to hack into company software.
Companies themselves are also responsible for this maladministration. They keep using old, outdated, and vulnerable software and ignore PCI DDS and General Data Protection Regulation (GDPR) requirements.
According to a report by The Hindu, more than half of the leaked data involved plaintext information like financial credentials. Also, a quarter of these leaky companies remain unpatched to-date.
Ilia Kolochenko, CEO & Founder of ImmuniWeb, said “Today, cybercriminals endeavour to maximize their profits and minimize their risks by targeting trusted third parties instead of going after the ultimate victims. These third parties, ranging from law firms to IT companies usually lack internal expertise and budget required to react quickly to the growing spectrum of targeted attacks.” She also stated that the hackers’ task was simply to “crack the weakest link”.