Sage data breach – attack from within

In August 2016 a woman was arrested following a loss of customer data at Sage, the Newcastle based Plc software firm, which provides accounting and payroll software to SME’s in the UK and abroad.

This was an embarrassing loss for a company specialising in software.

However, this attack came from within – an employee gained access to a significant amount of sensitive client information covering 200 businesses utilising some specific Sage systems. This was achieved using an internal employee login credential, which allowed the user unrestricted access to payroll information of Sage customers.

Salary information, national insurance numbers and individual bank account details were viewed, which could have potentially been distributed, sold or misused in further cyber-criminal attacks. In a worst case scenario, companies could have suffered a disruption in trading or sustain losses as a result of a subsequent targeted attack, which, in the case of small or medium sized businesses, could have a devastating effect on finances.

Given the nature of the breach, Sage UK Payroll worked closely with police and the Information Commissioner’s Office (ICO) to investigate the extent of the fraud. Swift action is critical when a data breach has occurred in order to minimise and prevent losses.

Sage contacted its UK clients whose data had been affected, and although the data obtained in this case was not distributed, the reputational damage to Sage was done, resulting in an immediate fall in share price following the announcement of the crime.

The cost to business of a breach is therefore not only the obvious costs of compensation, remediation (and associated legal fees) but also potential loss of customers, and the costs of rebuilding damage to a firm’s brand. There will also be a fine from the ICO in due course

Following the high profile breaches of gaming giant Sony in 2014 and telecoms provider Talk Talk in 2015, there are increasing pressures on companies to have robust data protection policies and measures in place to prevent data theft.

The result has been a focus on strengthening network security to defend against external attacks, but firms remain vulnerable to insider threats from employees or individuals within their own organisation. Insider fraud is an opportunity fraud, and the good news is that nearly all insider threats can be prevented by reducing the opportunity in the first instance.

Employees often have detailed knowledge of internal systems and controls, and can circumvent or override procedures, knowing where businesses’ weaknesses are and how they can be exploited and concealed.

Smaller businesses (where the number of employees is low) are especially susceptible to these risks, as one individual may have responsibility for a number of key systems.

So what can be done?

  • Prevent staff having unnecessary access permissions to systems that are not related to their role or function
  • Rotate duties and responsibilities
  • Cultivate an atmosphere of transparency and honesty, and enable channels of communication to encourage employees who suspect suspicious activity to come forward
  • Educate staff on the signs of internal fraud – simply knowing an organisation has procedures in place to detect fraud is a powerful deterrent to fraudsters.

Tait Walker work closely with SME’s to identify weaknesses in a company’s systems, to seal the holes in their security that fraudsters seek to exploit, as well as providing practical advice to limit exposure to fraud.

Our Forensic team can provide a rapid, co-ordinated response with local law enforcement, and solicitors in the event a fraud is detected, and advice to quantify and evidence the losses sustained, helping with recovery whenever possible.

If you would like to know how to avoid data losses and reduce risks of internal frauds, please contact David Arthur, or any member of our Forensic team.

Related Insight