Tuesday, 16 August 2016
Sage hacked : insider threat and third party liability
According to reports internal login details were used so this was less of a high tech hack and more of a walking in through an unlocked door - a disgruntled insider probably.
The Information Commissioners Office are having a look at this and this breach is potentially more serious than TalkTalk as the type of data access looks to be more valuable and personal. But when the fire has been put out who will pick up the tab and compensate the individuals whose data has been taken ?
Sage will no doubt be going through the terms and conditions of standard contracts to determine if they can wriggle out of any liability to their impacted customers. In any event what direct loss does a customer suffer if name, address, bank details etc are published on the open internet ? If a customer is later the victim of internet fraud will it be possible to create a causal link between the breach and the loss ?
Might Sage be insured for cyber breach ? If so does this cover insider threat which might well be viewed as negligent ? Will the insurance extend to pay customers of Sage compensation ?
Given the above complexity it is understandable that Sage should seek to keep as low a profile as possible on this matter but if you are using a Sage solution right now how secure do you feel ?
Anybody can be hacked but the question of who picks up the tab when it happens is far from settled.