• Type: Case study, KPMG information, Press release
  • Date: 7/25/2012

Our services

Publish and be damned - What does your online corporate profile reveal? 

Cyber Vulnerability Index 2012
KPMG Cyber Vulnerability Index 2012

With so many cyber attacks in the news recently executives are becoming increasingly concerned about their organisation’s exposure to hackers. And so they should. According to the KPMG Cyber Vulnerability report 2012, more than three quarters of the Forbes 2000 companies leak potentially dangerous data.
  • Financial Services account for 50 percent of the industry at risk with Banking the sector at highest risk
  • Technology, Media, and Telecommunications account for over 20 percent of the sectors at risk

KPMG performed research across the Forbes 2000 list of companies, with the aim of performing the same initial steps that cyber attackers and organised criminals would perform when profiling a target organisation for attack, using techniques that are often referred to as Advanced Persistent Threats, or ‘APTs’.

This publication provides a view on the common basic tactics hackers employ, highlights the industries and regions most at risk, and provides advice and guidance on how to safeguard your organisation.



Key findings of the report are summarised below:

Collecting Meta-data


  • 78 percent of Forbes 2000 Corporate websites leak some form of potentially useful information through document meta-data
  • According to retrieved version information from document meta-data, 71 percent of the Forbes 2000 companies may be using potentially vulnerable and out-dated versions of Microsoft and Adobe software

Harvesting Sensitive Locations and Hidden Functionality


Part of our research focused on the structure of the Forbes 2000 corporate websites to identify any potentially sensitive file locations or hidden functionality that may be useful to cyber attackers. While navigating the sites, we found a number of keywords that revealed interesting file locations that would stimulate further investigation by cyber attackers.


When serving test, upload or hidden functionality, many companies face the associated risk of cyber attackers defacing websites, or assuming control of these sites. Cyber attackers may also use this newly gained functionality to inject malware into the sites, which will infect all subsequent visitors of those sites.

Gathering Data from Popular Search Engines

As part of many popular search engine services, discussions are stored within a searchable web cache and can be queried for specific postings by users. In addition to the meta-data available, individuals often expose within these postings sensitive information about the current technologies in use by organisations.  Online discussions often reveal details on corporate projects and technologies in use by companies. They also reveal e-mail addresses of potential spear-phishing targets.


  • Technology and Software post far more information to online forums and newsgroups than all other sectors combined

Web Server Software Vulnerabilities

Corporate websites run on an underlying web server technology. When accessing a website the web server often reveals its software version which is typically hidden from a web browser’s view. Information leakage in these web
banner software versions can prove to be of significant value to an attacker when profiling a remote target site and server.


  • 16% of Forbes 2000 corporate web servers may be vulnerable to attack due to missing security patches or outdated server software

Who is most at Risk?

The Top 10 Forbes 200 companies leaking information hail from either the US or Japan. 


The most information leaks by sector are from Financial Services, Software, Technology, Telecoms and Banking organisations.


Share this

Share this

Sign up now

Subscribe to selected content and receive email alerts when new content is available for viewing on this site.


Already a member Login


Not a member? Register