Kaspersky Lab Confirms Website Attack; Verifies No Data Was Compromised

The usa.kaspersky.com domain was attacked on Friday, February 6, 2009. The attack occurred when a SQL injection attack was launched on a subsection of the site, the support site. A vulnerability was in the code of the support site when a new version of the site was rolled out at the end of January. The attack was successful in penetrating the support site, but it was unable to take data from the site and as a result no data was compromised.

Upon notification of the vulnerability, company personnel took immediate action to address the issue, and the vulnerability was remediated within 30 minutes of notification. The attack was not able to access to any other portions of any other Kaspersky Lab sites – including ecommerce sites.

The company’s experts are currently investigating the incident and to go a step further have hired Next Generation Security Software’s David Litchfield to further investigate. Upon completion, the results of Litchfield’s report will be made public.

Kaspersky Lab recognizes the fact that this attack could have had much more serious ramifications and is doing an extra-thorough security audit of all official Kaspersky Lab sites and developing additional internal review processes to ensure the company’s corporate resources are protected from similar attacks in the future.

It should also be noted that Kaspersky Lab’s core competency as a company is developing anti-malware solutions and our research and development is a different group from our web developers, therefore the quality of the solutions we deliver has not been compromised in any way.