Sage UK Payroll Data Breach

Personal details and bank account information for employees of as many as 300 large UK companies may have been compromised as part of a data breach at Sage, a UK accountancy software group.

August 11th, 2016 Sage UK Payroll services started notifying customers of a data breach effecting their staff payroll systems. A rather generic statement was believed to be provided to their customers:

“At this stage, we are unable to confirm if data relating to your company has been affected, however, we felt it necessary to make you aware at this early stage.”

The AntiSocial Engineer Limited never wishes to ‘bash’ brands but all too often their own actions cause us frustration. We reported the TalkTalk data breach in total confidentiality days before the media fogged the waters and magnified the event. They ignored our recommendations, did not return calls or take freely given advice and as a consequence in the days that followed we had our heads in our hands watching the catastrophe unfold. We had provided them with expert and relevant information which went unheeded, ultimately it was no surprise they turned to bigger and more familiar suppliers, which might not have been the right fit in the circumstances. Today a similar event has unfolded, we decided to make the data breach public as a distinct lack of openness was already being created with silence. It’s hard for a company to admit they have had a breach but it’s this very taboo we need to change in the industry. Data breaches are a case of when not if and how we handle these events can make a massive impact on all aspects of a brand.

 

Sage have contacted us directly after the release of this blog (13/08/16, 19:48) and a few things were observed in the call:

  1. Forensic teams were not fully aware of what data had gone missing – After this time period, a good forensic outfit should have undertaken the basic steps needed to identify what had happened. It might not be enough time for the full report, but an interim statement should have been released.
  2. Customers of Sage were apparently notified over the phone, I find this odd. In this instance, it is almost always easier to email clients. One clear release of information dispersed at the same time.
  3. It was disclosed that the breach was conducted by an employee – again we see insider threat as the main factor in a breach. I have no doubts that a company such as Sage took great steps in securing their network perimeter but Insider threats can be prevented – nearly always! 
  4. 200-300 Company records were compromised, the situation regarding this was not made clear on the call. It could have been an honest mistake, but if we had to speculate – this rarely happens by accident.
  5. It has been a minimum of 2 days since the breach and in my opinion, their press teams were not fully versed in how to handle the event – In the early stages of a breach event it is vital to have transparency, unity and all departments ‘firing on all cylinders’ together. Even their assumed crisis management company, who boast on their site “Our global digital practice consists of communications specialists” have been observed by us discussing this blog post, alluding to the fact that the biggest companies might not always be the most apt!

 

The data that Sage are likely to hold on many UK companies and their staff will consist of Personal details such as addresses, National Insurance Numbers, Names, Date of Birth, Bank Account Details and salary information! Although the full extent of the breach is still being investigated by UK Authorities so it is hard to say exactly what has been leaked.

The Information Commissioners Office is fully aware of the matter and dealing with it in co-operation with Police Cyber teams accordingly. It will be good to see them follow their own advice.

 

An ICO Spokesperson has commented for this post:

“The law requires organisations to have appropriate measures in place to keep people’s personal data secure. Where there’s a suggestion that hasn’t happened, the ICO can investigate, and enforce if necessary.”

Which is officially the most nondescript press statement ever, but it is early days and I wish them all the best and would like to thank them all the same.

 

Sage have released a vague press statement on the matter at (14/08/16, 13:45):

“We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation.

Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security.”

 

The city of London Police have arrested a 32-year-old woman in connection with the data breach (17/08/16, 19:00):

 

Some important tips to remember at times like this:

  • Insider Defence Is The AntiSocial Engineer’s focus for the Information security industry, all too often we hear of stories like this, blaming insider threat but rarely do we focus on fixing it. We can patch humans, we can educate, we can use staff to secure our data. To pass the blame to a disgruntled employee can be a mistake.

 

  • Be on the look out for Phishing emails that go the extra mile, including believable details that will try to use the stolen data to persuade you they are genuine. Ideally you should be vigilant all year round, but following an event like this it is highly probable that at least ‘some’ data is in the hands of people that shouldn’t have it. What do these people do with it? They use it for all it’s worth! The data it’s self is worthless remember it’s only by the following frauds criminals can profit. We’ve seen it with TalkTalk and many large breaches before.

 

  • Vishing Calls (Phone Calls designed to gather information) that will use pretexts that utilise the stolen data – “Hello Miss Jones, it Dave calling from your bank I am wanting to check a few details, is your address still XXX and Your Account number still XXX, if so can I have your telephone banking password to confirm your identity.” The thing with almost all data except card data is it normally needs another little piece of the puzzle to turn it into cash – try not to help them out. If companies do ever call you remember to say “Thanks for your call fella” replace the handset and Google the company contact details and ring them back after some quick validation. You don’t have to be paranoid to do this, but that little bit of effort and time might just save you from being a victim. Make it a habit.

 

  • SMShing (SMS Phishing) that requires your involvement somehow. Maybe to click a link within an SMS message or to relay a code back to the sender. Increasingly fraudsters are using SMShing to gain a large advantage over phishing alone. Many reasons for this exist but in terms of a data breach situation, it can sometimes just be ease. You have a database containing several thousand phone numbers, you have a cheap way to send out thousands of SMS messages… It’s a match made in heaven (or Hell).

 

 

Richard De VereRichard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.