UK-based accounting software firm Sage has reportedly suffered a data breach. The attacker is thought to have used an internal login to access personal details of employees at around 300 companies. It is currently not clear if the data was merely viewed, or if it was stolen. IT security experts commented below.
Adam Bangle, Vice President of Northern Europe at FireEye:
“While we don’t know the specific details of the Sage breach yet, based on our data and the trends we’re seeing this type of attack is becoming fairly typical and has lasting effects on a company’s brand.
In a statement to The Register, Sage mentioned that the attack had happened ‘within the last few weeks’. This puts it ahead of the average, based on findings from our recent M-Trends EMEA report which revealed that organisations are taking an average of 469 days (15 months) to identify a cyber-attack after the initial compromise.
This falls far below consumer expectations, however. Back in May 2016, a FireEye survey of 1000 consumers revealed 92% of people expect to be informed within 24 hours if a business that they deal with has suffered a data breach and their data may be compromised.
With the EU General Data Protection Regulation (GDPR) set to require that authorities are informed of a data breach within 72 hours, UK companies will need to improve their threat identification abilities or face stringent fines which are soon to be imposed by the EU.
While we don’t know whether Sage was negligent in this instance, the company was the biggest faller on the FTSE 100 this morning, proving that cyber-attacks can have many hidden consequences on businesses.
Detecting and preventing insider threats is a difficult task, but if organisations are able to identify the most critical assets and ensure that they have good visibility into the activities of those assets, the chances for detecting unauthorised activities increases and significantly reduces the likelihood that an insider will be able to execute a successful attack.
Organisations must stay vigilant against external threats, but should not ignore the risk that insider threats pose to sensitive data.”
Jes Breslaw, Director of Strategy at Delphix:
“Insider threats continue to pose a serious risk to organisations of all sizes across all industries. With employees able to gain access to data either using legitimate passwords or through physical access, businesses must be prepared to protect the data sitting at the core of their organisation by rendering it unusable if stolen.
“Rather than establishing perimeter defences in hopes of repelling breach attempts, security-minded organisations need to invest in technologies that protect the interior—the data itself. The only way to 100 per cent protect that data is through masking, a fail-safe process which intelligently scrambles data and adds an additional layer of security to make it impossible for criminals to exploit.
“Yet, this process has traditionally been an expensive, complex task, with only one in five organisations adopting the method. By using a combination of data virtualisation and data masking, enterprises can now scale data masking for all copies of production data and safeguard it from both insider and outsider threats.”
Thomas Fischer, Threat Researcher & Global Security Advocate at Digital Guardian:
“After further investigation and forensics work, it appears the Sage breach came from an insider. Insider threats are almost always preventable if the right people management processes and tools are in place. This is the case even if the employee is a so-called reluctant insider, meaning that, for example, an external party has compromised their account. Sage also claims that it currently unsure how the data was compromised. Again, with the proper investments in IT security, this should be easily controllable and identifiable within a very short period of time.
“What is perhaps more troubling is the lack of information or proper handling of the breach vis-à-vis the public, especially in the wake of the recent Talk Talk incident. High profile companies should be in a permanent state of alert, and must be prepared to immediately advise not only their customers, but also provide proper and timely information to the public. Communications, be that internally, with law enforcement or externally, are an essential aspect of any good incident and breach response plan.”
Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:
“It’s currently unclear what type of internal login was used in this data breach. If it turns out to be a login portal accessed only from the internal network, this could be a sign of an inside job. It’s not uncommon for systems to be compromised by the company’s own employees. Often, insiders are motivated by revenge for some perceived wrongdoing by their employer. Data breaches of this kind highlight the importance of careful consideration around access privileges. Sometimes, the easiest way to mitigate an insider threat is to simply audit who has access to critical and sensitive data.
“The other alternative is that a Sage employee has had their credentials compromised. This could have been caused a direct attack, where the attacker attempted to steal the credentials of a specific user, or by using compromised credentials from an entirely different data breach. The simple truth is that people often use the same username and password combinations on a variety of different sites and systems. With the high number of password leak incidents recently, attackers will no doubt be trying to use compromised credentials on a variety of websites, to see if they work. Users must make sure they’re using different passwords on every site.”