UK software group Sage has notified 280 of its customers that a data breach might have compromised the personal details and banking information of their employees.
On 12 August, the Newcastle-based provider of business management software for accounting and payroll services notified 280 of its UK customers about the breach. The company then published a statement about the incident on its homepage on 13 August:
"We believe there has been some unauthorized access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation. Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security."
Sage has not provided any more details regarding the incident. However, someone familiar with the breach told Financial Times that someone used a Sage employee's account details to access sensitive data, which prompted the company to launch an investigation.
As of this writing, it's unclear whether the actor(s) responsible for the breach were employees or external actors who stole the login credentials.
The payroll software company told the City of London police about the incident over the weekend. The force is investigating the data breach along with the Information Commissioner's Office, which said it's working to determine whether it can bring punitive action against Sage for any information security shortcomings.
As quoted by International Business Times:
"The law requires organizations to have appropriate measures in place to keep people's personal data secure. Where there's a suggestion that hasn't happened, the ICO can investigate, and enforce if necessary."
Eduard Meelhuysen, vice president EMEA for Netskope, told SCMagazine the breach should serve as a reminder to companies to implement protections against insider threats:
"The data breach at Sage is a powerful reminder that although many businesses look to protect their data from outside threats, the uncomfortable truth is that a significant risk often comes from the inside. Whether true human error, compromised account details, malicious insiders or a lack of awareness around IT rules and how to help protect the company's data, the insider element needs to form part of the wider security strategy along with external threats."
One way they can protect against those types of attacks is by speaking with Metacompliance, a provider of eLearning policy and compliance management software which, among other things, help companies teach their employees to be on the lookout for potentially malicious behavior among their co-workers.
For more information about how Metacompliance's solutions can help protect your company against insider threats, please click here