Well, this is awkward.
Security firm Sophos is contacting “a small subset” of its customers warning that their details have been exposed following a breach in security.
Sophos says that it was “advised” (it doesn’t say by who, but one assumes a security researcher) that a tool it uses to store information on customers who have contacted its technical support department was suffering from “an access permission issue”.
In other words, the data was accessible by unauthorised parties.
Sophos isn’t sharing how many customers had their data exposed, but in an email to affected users it says the following information was exposed:
- First name
- Last name
- Email address
- Contact phone number
Such information could, of course, be exploited by criminals if it fell into their hands. It’s easy to imagine how a fraudster could, for instance, create a targeted attack against a company disguised as a response from Sophos’s customer support department.
Here’s an example of the email Sophos is sending affected customers, informing them of the security breach:
You can’t help but wonder if the reason why Sophos is not sharing quite how many customers have been affected by the issue is because they’re worried that detail might just fuel more headlines in the security press.
Sophos says that the data is no longer exposed, which is obviously good – but doesn’t help if the data has already been scooped up by someone with malicious intent.
There is no word in its email to customers as to whether Sophos has informed the Information Commissioner’s Office of the security breach, but it does say that it is implementing controls in an attempt to prevent similar incidents happening again in future.
Remember folks, if a security company like Sophos can suffer a data breach like this then it could potentially happen to any organisation. No one is immune from screw-ups.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Sophos security breach exposes customer support records”
Excellent post on this breach. Every breach should be a lesson for all of us. Can’t think of any positive public reason not no reveal more details as a breached company. And now no one can learn from their fault.
"doesn’t help if the data has already been scooped up by someone with malicious intent"
Akin to "Closing the barn door after the cattle have been stolen" and saying nothing about it.