This week has seen yet another high profile business based in the UK breached, possibly by an insider threat. This time, it’s a trusted business-to-business software provider Sage Group PLC, which provides business management software for accounting and payroll services to companies in 23 countries.
Sage UK Payroll services began notifying customers of a data breach affecting their staff payroll systems on Thursday 11th August offering the following statement:
“At this stage, we are unable to confirm if data relating to your company has been affected, however, we felt it necessary to make you aware at this early stage.”
The company said it reported the breach to the City of London police at the weekend. City of London Police, which has jurisdiction over fraud and cyber-crime cases in the UK, confirmed on Monday that it was investigating the issue.
In the first hour of stock market trading following the announcement of the breach, shares Sage Group PLC fell 3.9%. Of course, though important to the company, its staff and shareholders, this breach will not eclipse the last significant UK public company data leak. The now infamous TalkTalk breach which affected 156,000 consumers in the UK has cost the business 9,000 customers in the second quarter of 2016. This means in total the attack has cost TalkTalk £42m although the real cost is more likely to be in the region of £60m once increased communication with customers, more call centre staff and the obvious improvements to its online security are included.
The obvious difference is that through their own admission, it is likely Sage was compromised using internal administration credentials. This can be deduced from the following statement issued by the company:
“We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation. Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security.”
An IDC survey of 400 companies with more than 1,000 employees in the UK, France, Germany, Sweden and the Netherlands revealed that 80% rely on traditional approaches to security that are unable to detect and respond to internal user activities, which can result in systems being compromised.
As a business owner investing a cloud based accounting and payroll system to manage your finances, you don’t have the power to just shut the system down. You are in the hands of your supplier with the impact being spread to your employees and potentially your customers.
It means monitoring your business accounts for suspicious transactions. It means notifying your employees over a weekend to monitor their personal accounts for suspicious transactions. It means a continual monitoring process for the above for months and possibly years. It could mean the closure of many business accounts viewed to be at risk should your business have highly sensitive customers and data. How does this affect compliance in your particular sector?
The Information Commissioner’s Office, whose focus is safeguarding personal data, is also looking into the breach. “We’re aware of the reported incident involving Sage UK, and are making inquiries,” it said.
“The law requires organisations to have appropriate measures in place to keep people’s personal data secure,” it added. “Where there’s a suggestion that hasn’t happened, the ICO can investigate and enforce if necessary.”
The Sage breach is understood to have affected only UK customers.