Sage notified 200 of their business customers this week that their personal data could be at risk following a data breach. The software group warned their UK clients that employee bank account details and salary information could be accessible to those responsible for the hack.
According to the BBC, an individual accessed the data using an internal company computer login and Sage and the police are currently investigating how this could have occurred as the information was accessed over the past few weeks.
“We cannot comment further whilst we work with the authorities to investigate – but our customers remain our first priority and we are speaking directly with those affected,” a Sage spokesperson revealed over the weekend. The Information Commissioner’s Office (ICO), which is responsible for the enforcement of the Data Protection Act 1998, is also working towards finding out how this could have happened.
If the ICO’s verdict reveals that Sage has been negligent, it could mean criminal prosecution, non-criminal enforcement or an audit at the company, the BBC reported. “The law requires organisations to have appropriate measures in place to keep people’s personal data secure. Where there’s a suggestion that hasn’t happened, the ICO can investigate and enforce if necessary,” the ICO said.
Paul German, VP EMEA at Certes Networks, highlighted that at present, Sage UK is not aware of the full extent of the data breach and in turn, does not have adequate segmentation in place. “Quite simply, if Sage had cryptographically segmented its security system into predefined and clearly understood fragments, the breach would have been more manageable, instead of system wide, and Sage would know the parts of the network infrastructure that have been hacked.”
“Sage should have a crypto-segmentation strategy in place, which would ensure that all sensitive application flows inside and outside the perimeter are encrypted, creating a clean and unbreakable link between each user and the permitted data and applications. As a result, if a breach does occur, the hacker is limited with the information and data that it is able to exploit,” German said.
German continued to explore how trust is an issue here and questioned why confidential customer data was not encrypted. “This attack shows the need for organisations to adopt a zero trust strategy, which assumes that there is no such thing as a trusted network or IT environment. Instead, every user, device, network and application must be treated as untrusted, and all enterprise systems should be considered already compromised.”
It could be said that the TalkTalk breach last year was when UK businesses started to become more cyber savvy and understood that precaution needed to be taken. Over 65% of British businesses have been targeted by hackers and 25% have experienced a security breach at least once a month, according to the UK government’s Cyber Security Breaches Survey 2016.
In this survey, Ed Vaizey MP, Minister for the Digital Economy, highlighted that while the digital economy is expanding to suit the changing needs of the customer, we need to ensure that that this country is the safest place in the world to do business online. “Everyone I talk to agrees the threat is significant and needs to be tackled, but there is a gap between awareness and action, which is highlighted in this report.”
“We see a steady stream of breaches and attacks on firms which assume they are on top of security but still haven’t got a good understanding of the possible impact on their business or what they should do about it,” the report read.
Another big cyber-attack occurred over the SWIFT network earlier this year, where fraudulent messages were sent over the system and 11,000 financial institutions were put at risk. According to the FT, analysts at Citi believe that the breach would “hit sentiment rather than financials” due to less than 1% of the customer base being affected. “From a financials standpoint, we believe Sage’s broad-based geographic presence and sticky business model should help mitigate some of the downside risk posed by likely loss of reputation in the UK and Ireland.”
Chief Technology Officer at Thales e-Security, Jon Geater, said that while cyber-attacks are everyday news, it reaffirms the importance for the protection of data. “We must look further than simply logins and passwords as the single access point to an organisation’s war chest, and with recent global research from the Ponemon Institute revealing employee mistakes are still the most significant threat to sensitive data, organisations have to realise that they are still at risk even if they don't believe they are a target for hackers - which of course they are,” Geater said.