Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Sage Group's Very Bad Month

Police Arrest Insider After Breach; Software Misuse Issues Arise as Well
Sage Group's Very Bad Month

Police have arrested an employee of U.K.-based accountancy and business software developer Sage Group after a data breach. Meanwhile, a report has emerged that some customers are using its software in an unsecured manner.

See Also: Is Cyberstorage the New Paradigm for Data Security?

On Aug. 17, City of London police arrested a Sage insider, following the company warning via its website on Aug. 14 that 200 to 300 U.K. businesses may have been affected by a data breach related to the use of an insider's login credentials.

"The City of London Police arrested a 32 year-old woman on suspicion of conspiracy to defraud at Heathrow airport," a spokesman tells Information Security Media Group. "The woman was arrested in connection with an alleged fraud against the company Sage. She has since been bailed. The woman is a current employee of Sage."

Sage declined to comment on that report, citing the ongoing investigation.

Sage says its customers include 6.2 million businesses in 23 countries; it has 13,000 employees. The company is the only technology stock still listed on the FTSE 100 - the 100 largest companies listed on the London Stock Exchange.

Breach Tied to Insider Credential

The data breach stemmed from inappropriate use of a legitimate access credential, Sage reports. "We believe there has been some unauthorized access using an internal login to the data of a small number of our U.K. customers, so we are working closely with the authorities to investigate the situation," Sage says in a notice published on its website. "Our customers are always our first priority, so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security." The company also published a toll-free number that all customers can call to receive further information.

Sage says it's also informed Britain's privacy watchdog, the Information Commissioner's Office, about the breach.

"We're aware of the reported incident involving Sage UK, and are making enquiries," an ICO spokeswoman tells ISMG. "The law requires organizations to have appropriate measures in place to keep people's personal data secure. Where there's a suggestion that hasn't happened, the ICO can investigate, and enforce if necessary."

Shodan Unearths Unprotected Servers

Separately, serial bug spotter Chris Vickery says that on Aug. 11, he found that more than 20 organizations were using on-premise Sage X3 servers with poorly configured versions of the MongoDB open source database, raising serious security concerns. Vickery said he spotted the databases via Shodan - a search engine for internet-connected devices and services. The servers are meant to be used by companies with 200 or more employees, he points out.

"So finding more than 20 of them completely exposed to the public internet, with no username or password required for access, was a little unnerving," Vickery says via an Aug. 18 blog post on the site of controversial anti-virus software developer MacKeeper (see MacKeeper Hid Product Update Error). MacKeeper, which last year settled a class-action lawsuit alleging deceptive advertising and false claims, hired Vickery after he warned that the company had inadvertently exposed millions of customers' personal details online, which it then fixed (see MacKeeper: 13M Customers' Details Exposed).

In the case of the Sage servers, Vickery says that some "contained massive amounts of company records in the form of PDFs, DOCs, and XLS spreadsheets," and that he initially warned Sage, believing that it controlled the servers directly. "High-level Sage staff members sent a response back within hours - rather impressive when considering the U.K. time zone difference," he says. "We engaged in a telephone conversation shortly thereafter. The Sage representatives were very clear that while they claim Sage is not at fault for these breaches, Sage is extremely concerned with any situation involving their software being implemented insecurely by clients."

Vickery says that he supplied IP addresses for vulnerable installations to Sage, and that the company has begun directly notifying affected customers. But he warned that the affected companies' information may have already been accessed by other parties.

"I've found logs indicating that I am not the first person to discover these exposed servers," he says. Sage declined to comment on that assertion.

Vickery warns all Sage X3 software users to ensure that they lock down the software. "If you are a large Sage client, make sure that your software installations are behind a firewall or, at the very least, you have some sort of access restrictions in place," he says. "Most companies do, but I know of at least 20 that did not."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.