Every one of the top 350 companies listed on the London Stock Exchange is leaving itself open to cyber attacks, fraud and phishing by unintentionally leaking sensitive data online, a new report claims.

Cyber security
FTSE 350 companies are leaving employee names and email addresses on public display, posing a security threat. (Credit: Reuters)

Published today, the report by KPMG accuses FTSE 350 companies of failing to keep their networks safe, and as a result the safety of Britain's economy and national security as a whole could also be under threat due to simple flaws in web security.

By simulating the initial steps a would-be hacker would take to gain access to a website, KPMG found all 350 companies guilty of unintentionally leaking data by leaving employee names, email addresses and sensitive internal file location information online - all of which could be used by hackers to potentially gain access to a company's website and servers.

Martin Jordan, head of cyber response at KPMG, said: "What our research has shown is that companies do not have full control of their web presence at a time when cyber security has been turned upside down.

"Hacking is no longer about a few hacktivists. Now, hacking has become automated on an industrial scale - often with state sponsored agencies behind it - and attackers are aiming for an increased competitive edge by stealing company secrets and IP [intellectual property], or purely seeking financial gain through fraud."

The report found that, on average, FTSE 350 companies have 41 usernames, 44 email addresses and five sensitive internal file locations publicly available online.


Although it seems innocent enough, leaving employee names and email addresses in plain sight gives opportunistic hackers the chance to send phishing emails to those addresses; all it takes is for one employee to click on a malicious link within such an email for hackers to gain access to an internal network and potentially sensitive data.

The Syrian Electronic Army is believed to have gained access to a number of Twitter accounts belonging to news organisations by sending out phishing emails. An email saying a company's Twitter account has been hacked, and encouraging the receiver to enter their username and password, might fool an employee into doing so, putting the account into the hands of hackers.

The most high profile of these attacks came when a Twitter account belonging to the Associated Press was hijacked and used to tweet that President Obama was injured following a Whitehouse attack with the news caused the Dow Jones to dip 150 points almost instantly wiping $200 billion off the market.

The Financial Times also saw its Twitter account compromised following a spate of phishing emails being sent to employees.

Worringly, it was companies in the aerospace and defence sectors which recorded the highest number of leaked internal email addresses - a fundamental component to sending phishing emails.

Outdated security

The KPMG report also found that 53% of FTSE 350 companies did not have up-to-date security patches on their computer networks, or were using old server software, making them potentially vulnerable to attack. Companies in the support services and software & computer services sectors topped the list for most vulnerabilities.

Jordan added: "Our findings send out a clear message to business - while the internet may be a shop window to the world - it can also be a substantial security risk. FTSE 350 companies should accept that cyber threats are real.

"Protecting their networks is not just about self-interest; [it] is about safeguarding the economy and, in the case of critical national infrastructures, it is also about the safety of the population."