Agencies like the Identity Theft Resource Center, which first started tracking data breaches in 2005, have shown that the numbers have set new records almost every single year for the sheer volume of attacks and consumer records exposed. Security experts have found that no industry is immune to data breaches, and that businesses of any size, from mom-and-pop shops to Fortune 500 companies, are vulnerable.
So news of yet another data breach shouldn’t make waves in the security industry, but the recent Sage Group data breach certainly has, largely due to the fact that an arrest has already been made.
Sage is a worldwide provider of accounting software, with literally millions of global clients. Some of the services the company provides are cloud-based, which is where the threat came in. An expected 200 to 300 UK-based businesses who relied on Sage’s service for company bookkeeping, payroll, and more received calls that their employees’ personal data had been accessed in a data breach.
Apart from the refreshing change of actually tracking down a hacker and making an arrest, one of the other surprises in the Sage breach was the fact that it was an inside job. Someone with an internal login accessed the information, and apparently did a sloppy job of covering her tracks. While the company has not announced what the employee intended to do with the information, she was arrested trying to leave the UK at Heathrow Airport yesterday.
The fact that this aspect of the breach is still surprising is one of the real contributors to data breaches and security violations. In approximately 43% of data breaches, the fault lies with an employee who either maliciously or accidentally caused the breach.
What really has cybersecurity experts alarmed about this breach, though, is the fact that Sage (like so many companies) seemingly allowed anyone from the CEO down to the janitor who sweeps the hallway to have unrestricted access to company data. Whether it’s a database of customer payment information, access to the personnel files for the entire company, or even proprietary information on the company’s products or business, too many businesses don’t restrict the level of access, which their employees can have. In this climate of pay-for-data, the end result really shouldn’t be so surprising.