Accountancy software firm, Sage, has suffered a data breach, in which "personal details and bank account information for employees of as many as 300 large UK companies may have been compromised."
Sage announced that they were "investigating unauthorised access to customer information using an internal login”. City of London police are currently investigating to determine who was responsible.
Sage's Website message:
We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation.
Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security. If you have any concerns at all, you can reach us on the following contact details:
The dedicated helpline number is 0845 145 3345 - please leave a message with your details and we will get back to you as soon as we can. You can also get in touch with us by emailing us at email@example.com.
Weak password practices by employees are responsible for 65% of data breaches, so it’s no surprise that once again the attack vector is unathorised credential-based access. It’s not yet been disclosed just how the internal login details were obtained, whether by social engineering, insecure storage of passwords or whether it was simply a weak password that was easy for a hacker to work out.
Should the ICO decide that Sage have been negligent, the variety of imposed sanctions could vary from forcing an external audit of the firm to criminal prosecution. The cost to the organisation won’t be limited to remedying the damage or implementing a solution, reputational and financial damage can be significant, with Sage’s share price opening 4% down after news of the data breach.
When employees have to manage multiple passwords, security is often the first compromise. 2 out of every 3 attacks focus on credentials, with 63% of confirmed breaches involve taking advantage of weak, default or stolen passwords. It’s no surprise that credentials were responsible for the latest Sage breach, what is surprising is that they left themselves vulnerable to a credential-based attack.
[Update 17th August 2016]: City of London police haved arrested a 32-year-old employee of Sage at Heathrow airport in connection with a fraud investigation.