Sage Employee Arrested for Insider Breach

An employee of the U.K. business software company Sage was arrested at London’s Heathrow airport on August 17 in connection with an insider data breach that may have compromised the personal information of employees at 280 British companies, BBC News reports.

“A 32 y/o woman has been arrested in relation to the ongoing fraud investigation from the business firm Sage,” the City of London Police tweeted on the 17th.

“We believe there has been some unauthorized access using an internal login to the data of a smaller number of our U.K. customers,” Sage said in a statement on its website. “The City of London Police has now made an arrest in connection with this case, and we continue to work closely with the authorities to investigate the situation.”

MacKeeper security researcher Chris Vickery separately found more than 20 Sage customers’ corporate data exposed online, though Sage said those exposures were likely the result of the customers’ own lax security, Reuters reports.

“Specifically, what I found were over 20 unprotected MongoDBs, under the control of Sage customers, powering ‘on premises’ versions of Sage’s X3 server software suite. … X3 servers are intended for companies with over 200 employees, so finding more than 20 of them completely exposed to the public Internet, with no username or password required for access, was a little unnerving,” Vickery wrote in a blog post.

“If you are a large Sage client, make sure that your software installation are behind a firewall or, at the very least, you have some sort of access restrictions in place,” Vickery added. “Most companies do, but I know of at least 20 that did not… and the possible repercussions for those clients are frightening.”

Balabit CMO Matthew Ravden told eSecurity Planet by email that the problem with insider breaches is that so many security technologies are powerless to detect malicious activity by authenticated users. “Too much faith has been placed in password management systems, which a privileged user just logs into and is given unconstrained access to sensitive data,” he said.

“Organizations must put greater emphasis on monitoring and analyzing these users in real time to detect unusual activities and stop malicious acts from happening,” Ravden added. “Key points are made clear in this latest breach: privileged users pose a serious threat to every company, and passwords just aren’t effective.”

A recent survey [PDF] of more than 500 cyber security professionals found that 58 percent of respondents still lack the appropriate controls to prevent insider attacks, and 44 percent are unaware of whether their organization has experienced an insider attack at all.

Sixty-seven percent of respondents said the fact that insiders have credentialed access makes insider attacks more difficult to prevent.

“Your organization is, and will be, compromised by insiders, and to prevent attacks, you need to have some controls in place that are specifically focused on the insider,” Veriato CEO Mike Tierney said in a statement.

“Not only do companies need to do a better job of educating employees about what data they are able to share or take with them when they leave, but the departments within the companies need to do a better job working together to share any red flags they are seeing, for example from disgruntled employees,” Tierney added.

A recent eSecurity Planet article examined five ways to defuse the data threat from departing employees.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles