Sage admits security breach of cloud computing systems affecting 280 companies
"Internal login" used in unauthorised access of British software company systems
Sage, one of the UK's biggest software companies, has warned that personal information of employees at 280 organisations in the UK have been compromised in a security breach.
The company claims that the information was compromised as a result of "unauthorised access" by someone using an "internal" company login.
"We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation," warned the company in a statement released over the weekend.
The company claims that it has informed the Information Commissioner's Office (ICO), as well as the City of London Police.
However, the company did not give out any further information about the breach, whether or how the data was exfiltrated, how many people might be affected, the information that may have been compromised or even the services that had been cracked.
The company's statement also raises questions over how well secured and monitored the company's own authentication mechanisms are, and whether it was by a current or former employee, or whether the login credentials had been compromised in some way.
Sage claims some six million small- and medium-sized customers around the world for its accounting and human resources software, and the unauthorised access of 280 customer accounts therefore represents only a small proportion of its total customer base. The company claims that only UK-based companies were affected.
Thomas Fischer, threat researcher and global security advocate at Digital Guardian, laid the blame squarely at Sage's door, and suggested that the company's security was inadequate.
"It appears the Sage breach came from an insider. Insider threats are almost always preventable if the right people management processes and tools are in place," said Fischer.
He continued: "This is the case even if the employee is a so-called reluctant insider, meaning that, for example, an external party has compromised their account. Sage also claims that it is currently unsure how the data was compromised. Again, with the proper investments in IT security, this should be easily controllable and identifiable within a very short period of time."
The admission of a security breach at Sage comes after a week of revelations from retail systems vendors, who appear to have been targeted by a gang of Russian hackers. On Monday last week, Oracle revealed a serious breach at its MICROS subsidiary, admitting that it had removed "malicious code" from "legacy" retail systems software.
Later in the week, it was revealed that five other retail systems vendors had also been attacked, although none of them admitted to a breach of the same severity as at Oracle.
Computing has sent a series of probing questions to Sage this morning and will update the story as soon as the company responds.
Computing's Cloud & Infrastructure Summit 2016 is fast approaching. For more information, including the agenda and how to register, please click here