Insider breach at Sage and potentially exposed on-premise Sage servers

Insider breach may have led to unauthorized access to UK customer data

According to this article at Data Breach today, Sage UK accounts may have been affected by an insider breach. British police arrested a 32 year old woman at Heathrow Airport on suspicion of conspiracy to defraud and confirm that the woman is currently an employee of Sage.  Details of what was accessed, when and for what purpose are still unknown but Sage has confirmed that they are working with the authorities on the matter and are reaching out to the customers who may have been affected.  This is an excellent reminder that damage isn’t always the result of an external threat.

Security Researcher found 20+ Sage X3 Servers exposed to the Internet and vulnerable

In addition to the insider breach, Chris Vickery discovered via a Shodan search multiple on-premise Sage X3 servers exposed with no username or password.  Three things just jump out at me here that are critical when it comes to securing sensitive (or any) infrastructure

  • VPN – Unless the server is a website or otherwise has to be accessible to the public, put it behind a firewall and require a VPN to access.  VPN technology is inexpensive, easy to deploy and will prevent a casual passerby (like someone doing a Shodan search) from seeing what you have.  In this case, that casual passerby can see a) that they have Sage X3 and b) that there’s no username and / or password required to access it.  Not a good thing.
  • Strong password policy – What constitutes a strong password is hotly debated but, at the end of the day, we can all agree that no username or password is a horrible plan.
  • Testing – Once you have your sensitive assets behind a firewall and accessible via VPN only and you have a good password policy (and possibly even 2FA setup), test your network for additional vulnerabilities.  A simple vulnerability assessment would have identified the exposed servers as a vulnerability and the associated risks (an unauthenticated third party can simply connect to your server and ‘do stuff’) disclosed in the report privately to the company, not aired out to the Internet at large.

If you have questions about security or believe that your company or organization may be exposed to risks because of exposed vulnerabilities, please feel free to contact us here.

Misc / Errata

Leave a Reply