Kaspersky notified 258 companies worldwide last year that their private data was being offered for sale online. The voluntarily made up initiative revealed that many companies handle data breaches incorrectly. During Kaspersky’s NEXT 2023, we took some time to talk with the lead researcher behind this initiative.
Last year, 25 Kaspersky researchers monitored the dark web for new data breaches. “With the help of our own developers, my team was automatically notified of new information on the dark web. We were also able to eliminate the problem of false data leaks through the developers,” explains Yuliya Novikova, executive of Digital Footprint Intelligence at Kaspersky. Fake data leaks circulate regularly on the dark web. They are spread in the hope that some will still pay to get the information, and thus the person responsible can earn an extra penny. Fake data leaks contain only files of publicly known information, such as information circulating on social media, or data from an old data breach.
Kaspersky found a total of 258 new data breaches. They took a year-long effort to notify affected companies about the data breach, even if they were not clients of the security company. “We involved our sales team to contact the companies. After all, we investigators have no idea how best to make this contact. We did pass on all the information we had, such as a reference to the leak so that the company involved could be contacted completely transparently,” Novikova says.
No point of contact
As it turned out, in 42 percent of the data breaches found, the sales team still had to embark on a ferocious search for contact information to report the data breach. Information about the right person to report a security incident was completely lacking. Some companies turned out to be black boxes even after a long search. At many companies, the person contacted did not know to whom to report the incident further, and thus a security protocol appeared to be completely lacking.
At others, no employee could be reached, so Kaspersky decided to keep the data to itself. “We didn’t think reporting the data breach to the country’s authorities was wise. This is because some countries lack competent authorities, or there is no clear legislation on how to handle this data breach. Therefore, we thought it safer not to report the data breach.”
Ignorant attitude
Overall, there appeared to be a great ignorance of the proper way to handle a data breach in the corporate world. In 28 percent of the companies, no further action was taken on the report. This could have been due to a lack of cybersecurity resources. Other companies ignored the incident completely believing that the problem did not exist as long as they did not pay attention to it themselves.
Only 22 percent of the security incidents found were eventually addressed by the company involved. 6 percent were already aware of the security breach when Kaspersky notified them. “Very few companies have the resources to investigate data breaches themselves. It cost us a team of 25 investigators, and we eventually had to expand that to a large part of the sales team. Therefore, my advice to companies is not to invest in data breach research, but rather in products to prevent security incidents,” Novikova comments.
Next year, Kaspersky plans to establish research only around the company’s partners and customers. According to Novikova, it costs too many resources to continue offering it at no cost to all companies.
Also read: German security watchdog BSI urges public to stop using Kaspersky
2 days ago
