Employee Charged with Fraud After Data Breach at Sage

Based in the U.K., Sage supplies payroll and accounting software to small and medium-sized companies.

Earlier this week, Sage revealed that someone using employee credentials caused a data breach internally when they accessed corporate data without authorization.

Experts tell SHRM Online that internal data breaches can be mitigated with training, policies and observation of internal systems.

Sage has yet to reveal if the stolen information was leaked or sold—or what data may have been compromised. However, according to news reports, Sage retains a great deal of information about its clients, including their names, addresses and financial data—all of which thieves would find attractive.

The company notified customers, and authorizes are investigating. The arrested employee has since made bail. Between 200 and 300 businesses in the UK may be victims of the breach.

In a statement, Sage said: "Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security. Please note this issue does not affect any customers in other countries."

Insider cyberattacks, accidental data breaches and cyber espionage are not new, as SHRM Online has reported in the past.

According to IBM's X-Force security team, 55 percent of all corporate attacks are caused accidentally by human error or done maliciously by employees; 45 percent are performed by outsiders.

In an interview with SHRM Online earlier this spring, Mark Sangster, vice president and industry security strategist at eSentire, a cybersecurity company based in Cambridge, Ontario, said that he's : "seeing many cases of insider data breaches that involve leaking sensitive data for [financial gain] or more malicious intent. However, quickly, we expect to see hardline compliance rules and fines come to firms with sub-standard cyber security defenses in the future."

David Meyer, vice president of products at San Francisco-based OneLogin said internal breaches "highlight the need for more security awareness training" for employees. OneLogin, provides single sign-on and identity management for cloud-based applications.

"The security [attitude] day to day among the employees is the largest battle," he told SHRM Online. "Technology is critical as well—you should eliminate passwords in applications, use multiple authentication factors, analyze behavior. Yet, the attitude employees have can circumvent all of that." 

Letting unidentified people onto your floor, answering questions about your company casually in a bar—that can be used to gain access later—these are the key gaps in your defenses.

"HR needs to partner with IT to ensure the workplace facilitates security," Meyer said.

He added: "One of our customers has a policy of looking over all activities for the past 90 days when an employee resigns. This is because the intention to leave comes long before the resignation, and with the intention to leave comes a risk of bad behavior," Meyer said, adding that the better manager training is, the better there's trust in an organization, and the better there's a sense of aligned values and common mission mitigate these factors. 

"If there is no ill will, then there will be fewer malicious acts," Meyer said.