By Eric Auchard
FRANKFURT (Reuters) - Sage Group (LON:SGE), already hit by an insider data breach this week, then found itself racing to shut down security lapses by more than 20 customers after a U.S. researcher uncovered stores of their corporate data exposed online.
The British financial software provider said the incidents were unrelated, but they highlight the range of security risks facing technology suppliers – from the relatively rare danger of rogue employees to the harder-to-control lax security practices of customers.
Sage said the online data leaks appear to be the result of customers or contractors in more than a dozen countries ignoring warnings against installing Sage business planning software inside their firms without basic firewall protections.
On Thursday it said it had spent the past two days contacting vulnerable customers to tell them to shut down connections, after being notified of the breaches by U.S. researcher Chris Vickery, 31. He is known for previously digging up hundreds of millions of leaked voter records online.
The databases Vickery stumbled on online were from poorly secured, in-house customer installations of Sage X3 software, which firms of up to 2,000 employees use to run finance, purchasing, inventory, sales and customer service functions.
"If you are a large Sage client, make sure that your software installations are behind a firewall or, at the very least, you have some sort of access restrictions in place," Vickery wrote in a blog post (https://goo.gl/Dx2Lbj).
"Most companies do, but I know of at least 20 that did not ... and the possible repercussions for those clients are frightening."
The software, which acts as a platform for other Sage products, has around 5,000 customers and accounts for 5 percent of total company turnover. Sage counts 3 million small and medium-sized business customers worldwide.
INSIDER THREAT
It was the second security-related incident to hit the Newcastle-based company this week after Sage said on Sunday that an internal login was used to gain access to the employee data of around 280 British customers (http://reut.rs/2bDJynj). Sage payroll-processing software is used by more than half of British firms.
A source at the company said Sage is working to ascertain whether any data has actually been stolen, while police on Wednesday arrested a 32-year-old Sage employee on suspicion of fraud against the company.
Experts say the vast majority of large-scale data breaches are the result of outside hackers using trickery to gain inside access to corporate data, typically for financial gain, a scenario that does not appear to be in play in Sage's case.
Vickery is known for exposing a variety of high-profile database breaches including vast numbers of U.S. and Mexican voter records, children's data on sites such as Hello Kitty, and dating records on the site BeautifulPeople.com.
He was hired as a security researcher early this year by the creators of MacKeeper, a Macintosh utility and security programme, after he discovered a company database of 13 million users which was exposed to hackers.