Sage Group has admitted to a data breach which may affect hundreds of UK business customers.
Over the weekend, the accounting software company revealed that the network compromise was caused by someone using an internal login without authorisation.
The breach has hit UK customers, of which between 200 and 300 could be involved in the aftermath.
However, it is not yet known whether any information was leaked, how much, or whether the unauthorised access was just someone having a look around — simply because they could.
Richard De Vere said on “The AntiSocial Engineer” blog that Sage began notifying customers potentially involved in the data breach on August 11. During a call with the accounting firm, Sage said the breach was conducted by an employee rather than an external cyberattacker.
In a statement, Sage said:
“We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation.
Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security.”
Sage holds data on its clients including addresses, National Insurance Numbers, names, dates of birth, bank account details and other financial information. These records could be valuable to attackers looking to cash in, but it is not yet known whether Sage client data was ever at risk.
The company is working with law enforcement and the UK’s data protection agency, the Information Commissioners Office (ICO), is aware of the situation.
The problem with insider threats is that they can be limited. In a recent study conducted by the Ponemon Institute, rising data loss is often caused by insiders and compromised employee accounts. However, the problem is made worse as often, staff and third parties have access to more sensitive information than they need.
We don’t know any of the details in relation to Sage’s data breach; however, companies should take note and put in place stronger controls to keep data access on a ‘need to know’ basis to limit the potential damage of a breach.
ICO said in a statement:
“The law requires organisations to have appropriate measures in place to keep people’s personal data secure. Where there’s a suggestion that hasn’t happened, the ICO can investigate, and enforce if necessary.”