Sophos warns customers of potential data leak

The incident is the second the security firm has suffered in 2020

Sophos sign outside a building

UK cyber security firm Sophos has notified customers that data has potentially been leaked online due to a misconfigured database.

The company said it was alerted to the misconfiguration by a security researcher, and that it fixed the issue immediately.

However, a "small subset" of the company's customers were affected, with first and last names, email addresses and phone numbers thought to have been accessed. Earlier this week Sophos began emailing those customers thought to have been affected.

"On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support," an email to customers read, as seen by ZDNet.

It added that additional safeguards had now been implemented to ensure access permission settings can't be exploited in the future.

This is the second major security incident in 2020 for Sophos after cyber criminals exploited a zero-day vulnerability in the firms XG firewall in April. Attackers used this to deploy ransomware but were eventually foiled by the security firm.

Related Resource

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Priviledged Access Managenment whitepaperDownload now

"At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers," the company said. "Additionally, we are implementing additional measures to ensure access permission settings are continuously secure."

While the breach may cause some embarrassment for Sophos, the incident will unlikely lead to any major consequences for its customers or regulatory action for the company itself, according to Ilia Kolochenko, founder & CEO of web security company ImmuniWeb.

"No highly sensitive information, such as banking, health or credit card data, was reportedly exposed," Kolochenko told IT Pro. "Moreover, many users that approach support, commonly use central phone numbers or even fake emails that are of not much value to hackers. Sophos's open reaction to the incident seems to be swift and professional, taking accountability for the incident with adequate mitigation.

"Compared to the countless data breaches with disastrous consequences in 2020, this minor incident will unlikely to attract the attention of law enforcement agencies or regulatory authorities."

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Nearly seven in ten CISOs expect a ransomware attack
ransomware

Nearly seven in ten CISOs expect a ransomware attack

19 Oct 2021
Acer Taiwan falls victim to cyber attack
hacking

Acer Taiwan falls victim to cyber attack

18 Oct 2021
Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
£100 contactless payment limit could place shoppers at risk, warn industry experts
Policy & legislation

£100 contactless payment limit could place shoppers at risk, warn industry experts

15 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021