Sage UK is the latest company to be hit by a serious data breach. The breach was first reported by website TheAntiSocialEngineer.com. It said that Sage UK Payroll had started notifying customers about the breach via telephone. Customers were told:
At this stage, we are unable to confirm if data relating to your company has been affected, however, we felt it necessary to make you aware at this early stage.
Since then, the number of people affected has varied in different reports from 200 to 300 with no formal press release from Sage. In a short statement on Saturday, Sage said: “We are investigating unauthorised access to customer information using an internal login. We cannot comment further whilst we work with the authorities to investigate — but our customers remain our first priority and we are speaking directly with those affected.”
Insider threat strikes again
This is a serious breach and the attack could be in possession of far more than just 200-300 accounts. A payroll administrator would have access to the account details of all the staff at the company where they work. They would also have the authority to make payments from the company bank account.
The City of London police have been notified of the breach and are starting an investigation. The focus of that investigation is likely to be an insider. That information comes from notes posted on TheAntiSocialEngineer blog after a call with Sage. Those notes also make it clear that as of Saturday, Sage’s own internal Forensic team had no clue what had actually happened.
If this is an insider attack then there are several avenues of investigation. The first will be to establish whether the connection originated inside or outside the company network. If inside it should be possible to track down the workstation involved. Is it used by the user whose logon credentials were used in the data breach? It not, this would raise the possibility of another employee using the logon? It is possible that the workstation has malware on it allowing remote control by attackers using stolen credentials.
What if the logon came from outside the network? This would raise questions over secure logon processes and why external logons have access to such sensitive customer data. It will also be interesting to see what level of protection Sage now offers customers. Will it offer credit monitoring to just the affected payroll administrators? Will it offer to protect all the employees of those affected customers? The latter could result in a very big charge for Sage depending on the number of employees at those customers.
The breach is embarrassing for Sage. It has just concluded a highly successful conference in the US where it was bullish about its growth. Sage is also embroiled in a three-way fight with Intuit (Quick Books) and Xero for dominance of the rapidly growing SMB accountancy market. A data breach may give potential customers and partners a reason to look at its competitors.
We are only at the early stages of this story. When the UK press team start responding to emails today, we may find out more about what has happened.