Kaspersky Touched Nearly Every Company. They’ll Need to Report They’ve Potentially Been Hacked.
The Wall Street Journal reports that the US government has known about the threat from Kaspersky Lab since 2003. For some reason, this information was kept from American corporations and citizens. Had they said something, it is possible the user base for this antivirus company would not have grown to 400 million users!
This staggering number includes virtually every corporation. A single logon to a company computer from a PC with Kaspersky software could have been monitored and the data potentially captured. The government has confirmed this has happened to at least one of their workers. This means even companies not officially using Kaspersky have potentially been breached.
The fact this has been going on for almost a decade-and-a-half makes the situation that much worse.
We’ve tried in vain to get the FBI to tell us what companies need to do if their users used Kaspersky. We’ve reached out repeatedly but they won’t say.
We think it is time they make a public statement telling corporations what to do. They have been active in private to a handful of companies but this is unfair to the rest of companies which haven’t been contacted.
As a public service, we have advised users they need to report a breach to the proper authorities and compliance agencies.
Keep in mind, we did this before we learned the problem goes back 13 years.
Every company should be auditing their systems and those of their remote workers to see if this software is currently installed or has been in the past.
There is a small chance this matter will just go away and be a temporary blip in the news cycle. However, what we see as far more likely is a dribble of news implicating Kaspersky software as the method for leaking data in numerous corporations and government agencies.
As this happens, awareness will build, and many companies will likely come under the spotlight.
It won’t be long before the national media starts to hold the government accountable for not leveling with citizens in public. The time for them to have acted was 13 years ago but even a statement today is better than none at all.
In the mean time, all organizations should have a catalogue of potentially affected systems and moreover they should be cross-referencing these with data the machines might have had access or permission to. It’s a tedious process but the sooner it is done, the more accurate it will be. They should further share this information as needed with the proper authorities and compliance agencies, including ironically, the FBI.