UK business software firm Sage has issued a statement indicating that it has suffered an ‘unauthorized access’, potentially compromising the records of close to 300 customers. At this time very little is known for certain, although a brief statement on the Sage website states, “…unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation.”
The first public indication of the incident came from The Antisocial Engineer on Saturday. The source of the initial information isn’t clear, but seems to have been provided by a Sage customer who had received a message from Sage such as, “At this stage, we are unable to confirm if data relating to your company has been affected, however, we felt it necessary to make you aware at this early stage.”
Sage later contacted The Antisocial Engineer and provided a little more information, such as ‘forensic teams were not fully aware of what data had gone missing’; customers were ‘notified over the phone’; ‘the breach was conducted by an employee’; and ‘200-300 company records were compromised’.
It should be noted, however, that Sage’s own on-site statement did not point to an employee, but to an internal login. That could suggest it was an employee, a contractor with access to elevated credentials, or possibly even an external hacker with access to stolen credentials.
Matt Middleton-Leal, regional director at CyberArk, suggests that the incident re-enforces the need for companies to take and maintain control over privileged accounts. “Credentials such as these should be automatically and regularly changed to prevent attackers lurking in the network for weeks. This would stop attackers early, ensure damage is minimal and mitigate the impact on shares – which have taken a hit this morning for Sage.” (Although Sage’s shares did indeed fall briefly with news of the incident, they have — at the time of writing — recovered to just 0.01% below their high point of the year.)
Sage itself has said it isn’t sure whether data was stolen or merely viewed. This implies that it has not yet detected any malware in its systems, nor noted any attempt at data exfiltration. It has, however, notified the UK data protection regulator (the ICO) and law enforcement.
The Antisocial Engineer suggests that the lack of a public response indicates a lack of an adequate incident response plan. “We decided to make the data breach public,” notes the blog, “as a distinct lack of openness was already being created with silence. It’s hard for a company to admit they have had a breach but it’s this very taboo we need to change in the industry. Data breaches are a case of when not if and how we handle these events can make a massive impact to all aspects of a brand.”
Sage’s own incident advice page would reinforce this idea. Headed ‘What do you do after a security breach?’, the second thing you do is ‘form a team to address the issue’. This is contrary to standard incident response good practice, which insists that you have a response team ready and organized in case of a breach, so that you don’t have to scramble to create one after a breach.