UK-based Sage, which provides payroll, accounting and payments software for businesses, has said that an internal login was used to gain unauthorised access to the data of its users.
As one of Britain’s biggest tech firms, Sage has in excess of six million small and medium-sized businesses worldwide using its software. Although Sage provides services in more than 20 countries across the globe, the cyberattack is thought to only be impacting its UK customers. The incident has been reported to police in London and The Information Commissioner’s Office, which enforces the Data Protection Act, has also been informed. It is not clear whether the attack was an inside job or if an employee’s log in details were stolen by an outsider.
“Most cyber liability policies cover both rogue employee activity as well as an outside attack,” explains Jeremy Barnett, Senior Vice President, Marketing,
NAS Insurance Services. “Sage is going to have respond to these activities with lawyers and an IT company to find out exactly what happened. They’re also going to have to pay for data restoration and any regulatory fees. These are first party aspects that a cyber policy should cover.”
After it was revealed that the personal details of employees from approximately 280 companies were exposed in the attack, a source from the company said: “We are investigating unauthorised access to customer information using an internal login …We cannot comment further whilst we work with the authorities to investigate but our customers remain our first priority and we are speaking directly with those affected.”
As well as a cyber liability policy, any technology provider who deals with such sensitive data should have a technology E&O policy. This provides protection in the event that a client makes a claim against them. “When dealing with companies that offer technology and software solutions, brokers need to understand the difference between a technology E&O policy and a cyber liability policy,” Barnett says. “There are broader coverages for those companies under the tech E&O.”