Over 97% of the world's largest cyber security companies have suffered data leaks and other security incidents exposed on the Dark Web, suffering over 600,000 security incidents in total since 2012, a report from ImmuniWeb has revealed.
The firm arrived at this conclusion after researching data leaks and exposed security incidents on hacking forums, public code repositories, underground marketplaces, WhatsApp groups, social networks, and IRC and Telegram channels. The research covered 398 of the world's largest cyber security companies, most of them based in the United States and Europe.
ImmuniWeb discovered as many as 631,512 security incidents involving cyber security companies, out of which 160,529 incidents were of high or critical risk levels, with the first of such incidents taking place in 2012. These incidents ranged from the theft of login credentials stored in plain text, the hacking of third-party vendors, and professional emails taken from hacked porn or adult dating websites.
The twenty cyber security companies headquartered in the UK, who featured in the list of the top security firms, suffered a total of 285,686 security incidents out of which 29,226 incidents were deemed high risk or critical and involved the loss of sensitive data such as PIIs, intellectual property, and financial records.
The fact that the world's top cyber security companies are suffering security incidents so regularly shouldn't come as a surprise, considering the websites of 63% of such companies do not comply with PCI DSS requirements, 48% of their websites do not comply with GDPR requirements, and employees at 161 security companies reuse their passwords regularly.
We have also covered various incidents of cyber security firms suffering breaches due to a lack of standards in place to prevent breaches and data leaks. In February last year, personal details of present and former employees of security firm Palo Alto Networks was compromised when one of the firm's third-party vendors inadvertently posted the said data online.
In November 2019, security firm Trend Micro said that a "malicious insider" sold personal information of approximately 68,000 of its customers to third parties after improperly accessing data stored in its systems with "clear criminal intent".
Cyber security consultancy firm Accenture also narrowly avoided a massive data breach in 2017 after it was found that the firm stored bundles of sensitive data containing decryption keys and customer information in four cloud servers without protecting them with passwords.
The unprotected AWS cloud servers were discovered by security research firm UpGuard who found that the servers contained sensitive Accenture data including secret APIs, authentication credentials, certificates, decryption keys, and customer information. All this data (up to 137GB) was publicly downloadable and could be accessed by anyone with web addresses for the four unsecured servers.
Commenting on ImmuniWeb's findings, Boris Cipot, senior security engineer at Synopsys, said the ever-changing composition of employees, each with their own understanding of the technology stack at their disposal and their own perception of the risks associated, impedes any attempt of achieving 'immunity to cyber risk'.
"The only thing organisations can do is to monitor the situation, educate their employees and try to follow up on risks they can control, endeavouring to mitigate these. Everyone needs to understand that not all employees are cybersecurity experts, even if they work in a security company," he said.