18 August 2016

Sage data breach

Following the TalkTalk cyber security breach of customer data in October 2015, this week another major organisation seems to have experienced that other variant of data breach – the rogue insider. Last weekend, the FTSE100 accounting software provider, Sage, confirmed that it was “investigating unauthorised access to customer information using an internal login.”

After an inquiry into the TalkTalk cyber-attack, the Culture, Media and Sport Committee issued a cyber security report which gave some guidance to organisations facing a data breach. Taking heed of the early warning approach taken by TalkTalk, which was favourably acknowledged by the Committee, Sage have reported the breach to the police and the regulator, the Information Commissioner’s Office, over the weekend.

Sage has also confirmed that it is notifying the “small number of [its] UK customers” that it believes might be affected, although we are aware that some customers of their services may need to instigate that contact themselves to confirm if they are on that list. There is limited information at this stage whilst Sage undertakes those investigations to determine what has actually taken place and what information has been accessed, if any. It is worth remembering that it took TalkTalk a couple of weeks to undertake that process and understand the details of what had happened to their customers’ information. Given that the BBC is reporting that this incident might affect around 280 UK businesses, it would seem that this situation is more likely to focus on those customers who have outsourced their accounting and payroll functions to Sage in the UK, as opposed to those simply using Sage’s business software.

It is important to remember that even if your business has outsourced a business critical service, such as accounting and payroll functions, this doesn’t remove or transfer your responsibility and liability for what happens to the personal data that is involved in that service – your business remains the data controller for data protection purposes and so remains liable for the acts of that outsourced provider processing the data on your behalf. In the case of payroll, for example, the personal data for which your business remains responsible is likely to include an employee’s name, address, National Insurance number and bank account details, so everything necessary to instigate an identity fraud.

While we wait to discover the details of this particular incident, it is already a timely reminder of where organisations might best focus their energies in the compliance battle around protecting personal data and the privacy of individuals. Businesses are increasingly interested in how to protect themselves from the risk of external cyber security breaches (and rightly so), but the security threat posed by internal breaches is potentially just as damaging and possibly harder to detect. Whilst it might come down to simple human error, weak password management or a disgruntled ex-employee having retained unauthorised access to systems when they should not have done, there is probably more scope for businesses to mitigate these areas of internal risk than those of the external variety.

These data breach incidents involving household name businesses continue to inform our own awareness of personal vulnerability to identity theft, an aspect which the Culture, Media and Sport Committee were also keen to encourage as a matter of public vigilance.

Recommended action which your business should take, at this stage, is to check whether your organisation outsources its accounting or payroll functions to Sage, check whether any of your HR, IT or accounting teams have been contacted by Sage to confirm that your business may be an affected customer and, if so, consider your internal communications to ensure employees are both reassured, but also put on alert as to what to watch out for. More medium term actions might include considering whether your organisation’s own security systems are sufficiently robust to protect against both the internal and external data breach threat.

If you’d like some assistance in considering the steps your business should be taking to protect against cyber security risks and compliance with data protection laws, please contact Emma Roe, a partner in our commercial team, on eroe@shulmans.co.uk or 0113 288 2817.

Further articles relating to data protection are available on our website: