The Book-keepers Forum (BKF)

Post Info TOPIC: 'Oops' says a red-faced Sage


Expert

Status: Offline
Posts: 1811
Date:
'Oops' says a red-faced Sage
Permalink Closed


https://theantisocialengineer.com/potential-sage-uk-payroll-data-breach/



-- Edited by VinceH on Monday 15th of August 2016 11:00:13 AM

__________________

Vince M Hudd - Soft Rock Software

(I only came here looking for fellow apiarists...)



Expert

Status: Offline
Posts: 1811
Date:
Permalink Closed

Hmm... quick test to see if I can reply to this. I couldn't before, and didn't have time to work out why.



-- Edited by VinceH on Monday 15th of August 2016 11:00:26 AM

__________________

Vince M Hudd - Soft Rock Software

(I only came here looking for fellow apiarists...)



Expert

Status: Offline
Posts: 1811
Date:
Permalink Closed

And another test...



__________________

Vince M Hudd - Soft Rock Software

(I only came here looking for fellow apiarists...)



Forum Moderator & Expert

Status: Offline
Posts: 11981
Date:
Permalink Closed

And that raises some quite basic questions about pretty basic security as to how an employee (or group of employee's) were able to steal the data.

As the blog states insider threats can almost always be prevented (if you have the right controls in place) i.e. really basic stuff such as segregation of access to information (doesn't prevent conspiracy of course) and I've never worked at a real sized company where USB ports are not disabled, emails are monitored by a dedicated security team and email attachments are not allowed.

It just annoys me that companies can turn around and say it's not us, the employee did it. Are they saying that this one employee could see things that their entire security division that one would hope would have many years of experience accross multiple industries was unable to foresee.

My view is that there is never any real excuse for this sort of thing and employee data theft happens because the employer did not have adequate controls in place to prevent it.

Whilst this is in no way defending Sage, it has to be said that they are not the first and they will certainly not be the last which makes it almost (almost) wrong to name and shame them as all of the others are just looking at it as "phew, all attentions on Sage, lets get our own security checked out properly whilst they're being crucified".

__________________

Shaun

Responses are not meant as a substitute for professional advice. Answers are intended as outline only the advice of a qualified professional with access to all relevant information should be sought before acting on any response given.



Forum Moderator & Expert

Status: Offline
Posts: 11981
Date:
Permalink Closed

Hi Vince,

I had some issues replying to this thread as well.

I know that I hit post but it took me to the advanced editor without posting and when I went back a page it indicated that it had already posted (which it hadn't).

The issue seems to have resolved itself now but I'll log it for next time that I'm chatting with Steve.

__________________

Shaun

Responses are not meant as a substitute for professional advice. Answers are intended as outline only the advice of a qualified professional with access to all relevant information should be sought before acting on any response given.



Expert

Status: Offline
Posts: 1811
Date:
Permalink Closed

Okay, I *think* the problem may have been because I'd started the subject line with a normal quotation mark (a bug of some sort in the forum software?). I had to re-input the subject line in the test reply, and I've since edited it to an apostrophe/single quote. Replying now works.

Now to what I attempted to say before...

When I initially posted that link, I hadn't read any of the details, but I'd seen references to this breach in a couple of places. I've now read it.

It's Sage's payroll service that has suffered the breach, and "up to" 300 *large* companies possibly affected, with the data that may have been pilfered including employee personal information - names, dates of birth, NI numbers, bank account details, etc.

A word that is conspicuous by its absence is "cloud" - for the above sort of information to have been vulnerable, though, I think it must be their cloudy payroll.

The breach is said to have been through an "internal login" - most likely, therefore, the result of a careless employee, perhaps a victim of phishing.* I've always said that possibility is a risk, and it's one of the many reasons I don't like the idea of cloud.

* I actually read a different link to the one I posted; that one does say it appears to have been conducted by an employee.

Edited to add the strike out and footnote.




-- Edited by VinceH on Monday 15th of August 2016 11:15:00 AM

__________________

Vince M Hudd - Soft Rock Software

(I only came here looking for fellow apiarists...)



Forum Moderator & Expert

Status: Offline
Posts: 11981
Date:
Permalink Closed

I'm not convinced its the cloud this time Vince as they use the word large when refering to the companies concerned and why would any serious sized company ever use cloud payroll? That seems like finding a graphics design company is using a ZX spectrum.

My impression was that this is good old fashioned plug in a USB drive, dump an Excel spreadsheet then straight out the door with it sort of crime.

Truth is we'll probably never know as what the actual breach was or which country it was performed in as it will be glossed over with a generic "data was stolen".







__________________

Shaun

Responses are not meant as a substitute for professional advice. Answers are intended as outline only the advice of a qualified professional with access to all relevant information should be sought before acting on any response given.



Forum Moderator & Expert

Status: Offline
Posts: 11981
Date:
Permalink Closed

Oops, responded pre edit. but I stil don't think that its cloud based in this instance.

Certainly not defending the cloud but just going on the article stating that the information was from large companies and to my mind large = desktop solutions, small = propably doesn't realise that they should be using desktop solutions.

__________________

Shaun

Responses are not meant as a substitute for professional advice. Answers are intended as outline only the advice of a qualified professional with access to all relevant information should be sought before acting on any response given.



Expert

Status: Offline
Posts: 1811
Date:
Permalink Closed

The reason I think it is cloud is because of the nature of the data concerned. Why on Earth would Sage otherwise have that sort of data?

__________________

Vince M Hudd - Soft Rock Software

(I only came here looking for fellow apiarists...)



Expert

Status: Offline
Posts: 1811
Date:
Permalink Closed

Actually, reading that article again, I can see he talks about "The data that Sage are likely to hold on many UK companies and their staff will consist of" - so, yeah, you could be right. I conflated that with the breach itself, rather than seeing it as the writer making a point.

__________________

Vince M Hudd - Soft Rock Software

(I only came here looking for fellow apiarists...)

Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me  
©2007-2024 The Book-keepers Forum (BKF). All Rights Reserved. The Book-keepers Forum (BKF) is a trading division of Bookcert Ltd. Registered in England Company Number 05782923. 2 Laurel House, 1 Station Rd, Worle, Weston-super-Mare, North Somerset, BS22 6AR, United Kingdom. The Book-keepers Forum and BKF are trademarks of Bookcert Ltd. This forum is a discussion forum only. There will usually be more than one opinion to any question and any posting should not be viewed as a definitive solution. No responsibility for loss occasioned to any person acting or refraining from action as a result of any posting on this site is accepted by the contributors or The Book-keepers Forum. In all cases, appropriate professional advice should be sought before making a decision. We reserve the right to remove any postings which are offensive, libellous, self-promoting or engaged in covert marketing. We will not notify users of removals. The views expressed in the forum posts are those of the individual and do not necessary reflect or agree with those of The Book-keepers Forum. Any offensive or unsuitable posts will be removed by the moderators. Any reader of this forum can request for a post to be looked into by sending an email to: bookcertltd@gmail.com.

Privacy & Cookie Policy  About