Police arrest woman in connection with Sage data breach

City of London police officers have arrested a 32-year-old woman employed by accounting software firm Sage in connection with a data breach at the company.

The arrest at Heathrow Airport comes just days after Sage warned someone had gained unauthorised access to employee data at nearly 300 UK firms using an internal login.

The woman was arrested on suspicion of conspiracy to defraud on 17 August 2016, but has since been released on bail.

Sage is based in Newcastle upon Tyne and provides business software for accounting and payroll services to firms across 23 countries.

The company said it had notified all the UK companies affected by the breach and was working closely with the police.

Highlighting that the cost of data breaches are seldom confined to remediation and recovery costs, Sage’s share price fell by as much as 4.3% on the news, but it has since recovered.

The breach also highlighted the need for companies to have the capacity to deal with either the use of stolen user credentials by attackers or the misuse of credentials by company employees.

The problem with insider breaches is that so many of the preventative technologies that companies have spent millions on are powerless to detect malicious activity once the user has been authenticated, said Matthew Ravden, chief marketing officer at security firm Balabit.

“Too much faith has been placed in password-management systems, which a privileged user just logs into and is given unconstrained access to sensitive data,” he said.

“Organisations must put greater emphasis on monitoring and analysing these users in real time to detect unusual activities and stop malicious acts from happening.”

Most organisations still focus on securing their borders, according to Morgan Gerhart, vice-president at security firm Imperva.

“The main problem is that there are no real borders to secure. Corporations are way past the time where there was a clear and defined perimeter to protect,” he said.

Gerhart added that organisations therefore should assume the borders have already been crossed and their network is compromised, and focus on protecting the data from internal and external threats.

Barry Scott, chief technology officer for security firm Centrify, said that when a data breach occurs – especially using a company account – immediate forensic analysis of the breach is needed to understand its full extent. 

“Audit software should be in place to collect detailed records of activity, and to enable replay of sessions for the user across the whole environment leading up to the event,” he said.

“Insider attacks and threats are often avoidable, either by current or past employees, so long as the right safeguards are in place.”

According to Lieberman Software product strategy vice-president Jonathan Sander, every organisation should shift to a least-trust model for inside security.

“They should even make the goal zero trust. Every scrap of sensitive information should be under a least-permission model in files, folders, email systems, and inside applications. Very rigorous process must be applied to IT administrators and the privileged access they have because it can bypass all your strong security if you're not careful,” he said.

Insider threats are a growing concern for many companies, said Javvad Malik, security advocate at security firm AlienVault.

“Ever since Edward Snowden became the poster child to showcase the immense damage a motivated malicious insider can cause, more efforts have been put into understanding, preventing and detecting this threat,” he said.