Sage accounting software warns customers over data breach

  • Liam Tung (CSO Online)
  • 15 August, 2016 02:55

UK accounting software vendor Sage has reported a data breach that may have exposed salary and banking information from hundreds of its customers.

The Financial Times (FT) reported on Saturday that a breach at Sage may have exposed personal and salary as well as bank account details for employees of as many as 300 UK companies.

Sage, which sells its software in 23 countries including Australia and competes with local startups such as Xero, told 200 UK businesses customers that the details may have been exposed in the breach, according to FT.

Precise details about the breach, including whether it was carried out by an external hacker, are not clear.

In a statement on its UK homepage on Saturday, Sage said it was aware there had been “some unauthorised access using an internal login to the data of a small number of our UK customers”.

The company said it was working with the authorities to investigate the situation.

The breach was first reported by Richard De Vere on, a security consultancy. De Vere, who said he had talked with Sage about the incident, said the company confirmed that an employee caused the breach. His sources claimed the breach occurred two days before Sage told customers.

However, a spokeswoman for Sage was not able to confirm to CSO Australia whether or not the breach was carried out by an employee — only that Sage’s investigators were aware the breach occurred after someone had used internal login credentials to access the data.

“We are investigating unauthorised access to customer information using an internal login,” the spokeswoman said.

“We cannot comment further whilst we work with the authorities to investigate – our customers remain our first priority and we are speaking directly with those affected.”

According to FT sources, one Sage employee’s internal login details were used to access protected data in recent weeks.

Sage has millions of customers worldwide and is, as the BBC notes, the only listed tech company on the FTSE 100. The only other tech firm on the index was ARM Holdings, which Japanese telco SoftBank has agreed to acquire for $32bn (£24.3bn, AUD$41bn).

UK businesses are required by law to report data breaches to the Information Commissioner’s Office.

The UK hasn’t experienced a breach on the scale of Sony Pictures Entertainment or US retailer Target, however the nation is on high alert after last year’s breach of UK ISP TalkTalk which stemmed from a simple security flaw that resulted in the exposure of over 100,000 customers details.

A UK parliamentary report in June urged the government to implement laws that cut CEO compensation in cases where security has been neglected.