FTSE 100-listed software firm Sage has been contacting its UK customers this week after identifying a potential data breach at the weekend.
It is the second high-profile tech company breach in a matter of weeks after global tech player Oracle detected malicious code in some of the legacy point of sale (PoS) systems operated by Micros, a company which it acquired in 2014.
The Sage incident is currently being investigated by the relevant authorities but the company has indicated it believes there has been "unauthorised access using an internal login to the data of a small number of our UK customers". A statement on Sage's website homepage says as much, and other reports suggest the employees of over 200 Sage customers could have been impacted.
"Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security," said Sage, which also revealed it is an incident isolated to the UK and does not affect customers in any of the accountancy and payroll software company's other 22 overseas markets.
Meanwhile in a letter to customers by Oracle, seen by Essential Retail, the advice was to change the passwords for all Micros accounts. Oracle said its corporate network and other cloud and service offerings were not impacted by the malicious code.
"Payment card data is encrypted both at rest and in transit in the Micros hosted environment," the letter said.
"To prevent a recurrence, Oracle implemented additional security measures for the legacy Micros systems."
Neira Jones, an independent payments and information security adviser, and a non-executive director at consultancy firm Cognosec, told Essential Retail that she believes technology companies still do not pay enough attention to the data entrusted to them by their customers.
She also argued that tech firms' customers, typically, do not focus enough on due diligence and governance in their supply chains.
Jones commented: "Whilst on the surface, these two data breaches can seem quite different – one with malware infected PoS devices in retail and hospitality and the other with compromised servers for payroll and accounting – they have crucial commonalities: both affected third-party suppliers to a large number of organisations and both, as far as we know, stemmed from misuse of legitimate credentials – either by malicious insiders or criminals obtaining those credentials."
The security expert said it is lucrative for criminals to target "the underbelly in the supply chain" as they can affect hundreds or thousands of firms at once.
"We notice that in the Oracle/Micros case, it seems that only legacy applications were targeted, which means that criminals studied their targets thoroughly to understand their vulnerabilities," she added.
"Secondly, once the target and its weaknesses are identified, what better way to maximise effort than to penetrate the environment via a legitimate route through valid credentials? Whether the actual perpetrator was a malicious insider or a criminal is a moot point: in the end the systems were compromised due to failures from these companies to notice anomalies at the 'reconnaissance' and 'initial compromise' phases of the cyber kill chain, which then led to the actual compromises."
The malicious Micros code was first highlighted by investigative journalist Brian Krebs, on his KrebsOnSecurity website. He first began investigating this incident on 25 July after receiving an email from an Oracle Micros customer – and one of his readers – who reported hearing about "a potentially large breach" within Oracle's retail division.
According to Krebs, a Russian organised cybercrime group known for hacking into banks and retailers was behind the attack. The same gang has apparently targeted other PoS providers.
Security problems at Sage and Oracle come after some high-profile data breaches in retail and the online world over the last 15 months, including at TalkTalk, Ashley Madison and Dixons Carphone, where consumer data was compromised.
Reflecting on UK corporates' approach to cybercrime and security, Jones said: "Many of us have been screaming "People, Process & Technology!" for a very long time and it is symptomatic (ref: Verizon DBIR 2016) that organisations on all front still fail to manage insider threats effectively – training, behavioural monitoring, incident response, policies, encryption, authentication & credentials management, governance, etc.) and also fail in monitoring and governing their respective supply chains, thus exposing themselves through their weakest link.
"The cost of data breaches is already high, but come May 2018, the Global Data Protection Regulation will also make them that much more painful if organisations still de-prioritise information security."
Click below for more information: