Russian state has tolerated parallel probiv market for its convenience but now Ukrainian spies are exploiting it
Russia is scrambling to rein in the country’s sprawling illicit market for leaked personal data, a shadowy ecosystem long exploited by investigative journalists, police and criminal groups.
For more than a decade, Russia’s so-called probiv market – a term derived from the verb “to pierce” or “to punch into a search bar” – has operated as a parallel information economy built on a network of corrupt officials, traffic police, bank employees and low-level security staff willing to sell access to restricted government or corporate databases.
The chair of the Office for Budget Responsibility has said he felt mortified by the early release of its budget forecasts as the watchdog launched a rapid inquiry into how it had “inadvertently made it possible” to see the documents.
Richard Hughes said he had written to the chancellor, Rachel Reeves, and the chair of the Treasury select committee, Meg Hillier, to apologise.
Kensington and Westminster councils investigating whether data has been compromised as Hammersmith and Fulham also reports hack
Three London councils have reported a cyber-attack, prompting the rollout of emergency plans and the involvement of the National Crime Agency (NCA) as they investigate whether any data has been compromised.
The Royal Borough of Kensington and Chelsea (RBKC), and Westminster city council, which share some IT infrastructure, said a number of systems had been affected across both authorities, including phone lines. The councils shut down several computerised systems as a precaution to limit further possible damage.
Sensitive information relates to more than 100 individuals and their referees
Personal details submitted by applicants for a job at Tate art galleries have been leaked online, exposing their addresses, salaries and the phone numbers of their referees, the Guardian has learned.
The records, running to hundreds of pages, appeared on a website unrelated to the government-sponsored organisation, which operates the Tate Modern and Tate Britain galleries in London, Tate St Ives in Cornwall and Tate Liverpool.
It’s become the playbook for big Australian companies that have customer data stolen in a cyber-attack: call in the lawyers and get a court to block anyone from accessing it.
When I joined Chronicle in the summer of 2019 — a name now rolled into the broader Google SecOps product (with SOAR by Siemplify and threat intel by Mandiant) — it was very much a startup. Yes, we were part of Alphabet, but the spirit, the frantic energy, the drive — it was a startup to its core.
And here’s the kicker (and a side rant!): I’m fundamentally allergic to large companies. Those who know me have heard me utter this countless times. So, in a matter of weeks after joining a small company, I found myself working for a very large one indeed.
To me, that pivot, that blending of startup momentum and big company scale, is, in many ways, the secret sauce behind our success today. It turns out, you need both the wild ambition of a young vendor and the solid foundation of a massive enterprise to truly move the needle (and the dots on the MQ … but these usually reflect customer realities).
The MQ and the Price of Poker
Now, as a reformed analyst who spent eight years in the Gartner trenches, I’ll clear up a misconception right away: the Magic Quadrant placement has precisely zero to do with how much a vendor pays Gartner. Trust me, there are vendors in highly visible SIEM MQ positions who’ve probably never sent Gartner a dime over the years.
Conversely, there are large organizations that have paid a fortune and have been completely excluded from the report. The MQ placement reflects customer traction and market reality (usually — there are sad yet very rare exceptions to this, and I will NOT talk about them; there is not enough whiskey in the world to make me). MQ placement is a measure of genuine success, not a destination achieved by writing a big check.
The Evolution of SIEM: Where Did the Brothers Go?
Reflecting on the last few years in SIEM (not 20 years!) and looking at the current MQ, a few things that were once controversial are now conventional wisdom:
SIEM must be SaaS and Cloud-Native. I’m old enough to remember when the idea of trusting your security data to the cloud was an existential debate. Today, with the relentless attack surface expansion, perhaps more people are realizing that the biggest risk is actually running a vulnerable, constantly-compromised on-prem SIEM stack. Data gravity shifted.
SIEM and SOAR are fully merged. They are, in essence, two inseparable brothers forming the core of modern SIEM — detection and response. SIEM is really SIEM/SOAR in 2025. Standalone SOAR vendors do exist and some “AI SOC” vendors are really “SOAR 3.0”, but these are — IMHO — outliers compared to the mainstream SIEM.
The UEBA brother got absorbed, but … Remember the mid-2010s, when User and Entity Behavior Analytics (UEBA) was the new shiny toy, all driven by cool machine learning? While it was an equal brother to SOAR for a moment, it has now largely been absorbed into the detection stack of the main SIEM product. Machine learning’s importance for basic threat detection has subtly decreased (odd…isn’t it?). UEBA has become a single, albeit important, feature within the engine, not a standalone platform.
Some XDR vendors graduated to real SIEM. EDR-centric SIEM vendors (XDR, if you have to go there), have landed. IMHO, these guys will do some heavy damage in the market in the next 1–2 years.
The Most Powerful Force in the Universe: IT Inertia
When I left Gartner, I famously outlined one key lesson from my analyst time: IT inertia is the most powerful force in the universe.
When you look at the MQ, you might see what looks like “same old, same old,” with certain large, established vendors still floating around. This is NOT about who pays, really! You might not believe it, but this placement absolutely reflects enterprise reality. Large vendors don’t die immediately.
Case in point: it took one particularly prominent legacy SIEM vendor (OK, I will name this one as it is finally dead for real, ArcSight) almost ten years to truly disappear from the minds of practitioners. Most companies were abandoning that technology around 2017–2018), but the vendor only truly died off in the market narrative in 2025. The installed base hangs on, dragging the demise out over a decade.
AI, Agents, and the Missing Tsunami
Finally, a quick note on the current darling: Generative AI and AI Agents.
While some vendors (and observers) expected a massive, dramatic impact from Generative AI on this year’s MQ, it simply hasn’t materialized — yet. As other Gartner papers will tell you, AI does not drive SIEM purchasing behavior today.
Why? Gartner’s assessment is based on customer reports. Vendors can yell all they want about how AI is dramatically impacting their customers, but until those customers report observable, dramatic improvements and efficiencies to Gartner, the impact is considered non-existent in the MQ reality.
The AI tsunami is coming, but for now, the market is still focused on the fundamentals: cloud-native scale, effective detection, and fast/good (AND, not OR) response. Getting those right is what puts you in the Leaders Quadrant. The rest is just noise…
Other SIEM MQ 2025 comments can be found here (more to be added as they surface…)
Hackers stole personal information of 6.6m people but outsourcing firm did not shut device targeted for 58 hours
The outsourcing company Capita has been fined £14m for data protection failings after hackers stole the personal information of 6.6 million people, including staff details and those of its clients’ customers.
John Edwards, the UK information commissioner who levied the fine, said the March 2023 data theft from the group and companies it supported, including 325 pension providers, caused anxiety and stress for those affected.
‘Brit card’ already facing opposition from privacy campaigners as government looks for ways to tackle illegal immigration
All working adults will need digital ID cards under plans to be announced by Keir Starmer, in a move that will spark a battle with civil liberties campaigners.
The prime minister will set out the measures on Friday at a conference on how progressive politicians can tackle the problems facing the UK, including addressing voter concerns around immigration.
As Keir Starmer aims to revive ID card system first proposed by Tony Blair, we look at the arguments for and against
It is 21 years since Tony Blair’s government made proposals for an ID card system to tackle illegal working and immigration, and to make it more convenient for the public to access services.
The same issues are on the agenda again as Keir Starmer revives what became one of New Labour’s most controversial policies. He is about to find out if he can defeat the argument that David Cameron’s Conservatives made before scrapping it. They said the ID card approach to personal privacy was “the worst of all worlds – intrusive, ineffective and enormously expensive”.
Barristers report going unpaid and cases being turned away amid fears firms will desert legal aid work altogether
Lawyers have warned that a cyber-attack on the Legal Aid Agency has pushed the sector into chaos, with barristers going unpaid, cases being turned away and fears a growing number of firms could desert legal aid work altogether.
In May, the legal aid agency announced that the personal data of hundreds of thousands of legal aid applicants in England and Wales dating back to 2010 had been accessed and downloaded in a significant cyber-attack.
As governments consider mandatory CCTV in early education, one big provider with cameras already installed is yet to formalise guidelines for how the footage will be stored and used
In the wake of horrifying reports last week alleging that eight children had been sexually abused by a worker in a Melbourne childcare centre, politicians and providers have scrambled to offer a response.
One option emerged from the fray as something concrete and immediate: the installation of CCTV cameras in childcare centres.
Lead brand of French luxury group LVMH reassures customers financial data such as bank details were not taken
Louis Vuitton has said the data of some UK customers has been stolen, as it became the latest retailer targeted by cyber hackers.
The retailer, the leading brand of the French luxury group LVMH, said an unauthorised third party had accessed its UK operation’s systems and obtained information such as names, contact details and purchase history.
CSRI finds China and Russia may be coordinating ‘grey zone’ tactics against vulnerable western infrastructure
China and Russia are stepping up sabotage operations targeting undersea cables and the UK is unprepared to meet the mounting threat, according to new analysis.
A report by the China Strategic Risks Institute (CSRI) analysed 12 incidents in which national authorities had investigated alleged undersea cable sabotage between January 2021 and April 2025. Of the 10 cases in which a suspect vessel was identified, eight were directly linked to China or Russia through flag-state registration or company ownership.
Citizen Lab says it found ‘digital fingerprints’ of military-grade spyware that Italy has admitted using against activists
The hacking mystery roiling the Italian prime minister Giorgia Meloni’s rightwing government is deepening after researchers said they had found new evidence that two more journalists were targeted using the same military-grade spyware that Italy has admitted to using against activists.
A parliamentary committee overseeing intelligence confirmed earlier this month that Italy had used mercenary spyware made by Israel-based Paragon Solutions against two Italian activists.
The Australian National University (ANU) has contacted authorities about a possible hacking incident after its vice-chancellor’s account liked a number of “highly offensive” LinkedIn posts about Gaza and Julie Bishop.
One of the posts liked by Genevieve Bell’s account was an inflammatory post about Gaza, while another made negative comments about Bishop, the ANU chancellor and a former foreign minister.
Arrest warrants issued for ringleaders after investigation by police in Europe and North America
European and North American cybercrime investigators say they have dismantled the heart of a malware operation directed by Russian criminals after a global operation involving British, Canadian, Danish, Dutch, French, German and US police.
International arrest warrants have been issued for 20 suspects, most of them living in Russia, by European investigators while indictments were unsealed in the US against 16 individuals.
Your Facebook or Instagram account can be your link to friends, a profile for your work or a key to other services, so losing access can be very worrying. Here’s what to do if the worst happens.
If you have access to the phone number or email account associated with your Facebook or Instagram account, try to reset your password by clicking on the “Forgot password?” link on the main Facebook or Instagram login screen. Follow the instructions in the email or text message you receive.
If you no longer have access to the email account linked to your Facebook account, use a device with which you have previously logged into Facebook and go to facebook.com/login/identify. Enter any email address or phone number you might have associated with your account, or find your username which is the string of characters after Facebook.com/ on your page. Click on “No longer have access to these?”, “Forgotten account?” or “Recover” and follow the instructions to prove your identity and reset your password.
If your account was hacked, visit facebook.com/hacked or instagram.com/hacked/ on a device you have previously used to log in and follow the instructions. Visit the help with a hacked accountpage for Facebook or Instagram.
Turn on two-step verification in the “password and security” section of the Accounts Centre. Use an authentication app or security key for this, not SMS codes. Save your recovery codes somewhere safe in case you lose access to your two-step authentication method.
Turn on “unrecognised login” alerts in the “password and security” section of the Accounts Centre, which will alert you to any suspicious login activity.
Remove any suspicious “friends” from your account – these could be fake accounts or scammers.
If you are eligible, turn on “advanced protection for Facebook” in the “password and security” section of the Accounts Centre.