Sophos data leak: Cyber security firm exposed a subset of customer data

British cyber security firm Sophos recently misconfigured a tool used to store information on customers, thereby leaking the names, email addresses, and phone numbers of a subset of its customers.

The misconfiguration was spotted by a security researcher who contacted the cyber security firm on Tuesday to alert it about the data leak. This prompted Sophos to immediately address the issue and advise affected consumers in an email that was accessed by ZDNet.

"On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support," the firm said in the email addressed to affected customers.

While Sophos has not disclosed the data security incident on its website, a spokesperson told ZDNet that the misconfiguration affected only a "small subset" of the company's customers and exposed the first and last names, email addresses, and phone numbers of customers.

"At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers. Additionally, we are implementing additional measures to ensure access permission settings are continuously secure," the spokesperson said.

Sophos is presently-owned by U.S. private equity firm Thoma Bravo that acquired the British maker of antivirus and encryption products for about $3.8 billion in October last year. The acquisition took place on the heels of dismal results from Sophos as it saw waning demand for cyber security tools and it shed a third of its value in 2018.

Commenting on the data leak committed by Sophos, Ilia Kolochenko, Founder & CEO of ImmuniWeb, said that the incident is a colorful reminder that no one is immune from a human error exacerbated by the pandemic’s havoc and growing complexity of the modern threat landscape. Continuous attack surface monitoring is the must-have solution to timely detect, respond, and mitigate the growing complexity of IT infrastructure, human omissions, and related misconfigurations.

The incident, however, Kolochenko said, will unlikely have any major consequences for the victims as no highly sensitive information, such as banking, health, or credit card data, was reportedly exposed. Sophos also reacted quickly and professionally, taking accountability for the incident with adequate mitigation.

This is the second time this year that Sophos has had to deal with a data security incident. In April, the firm revealed that cyber criminals exploited a SQL injection vulnerability in the management interface of XG firewall to exfiltrate user data such as usernames, passwords, and local device admins.

According to Sophos, the attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices and exfiltrate XG Firewall-resident data. Hackers behind the activity compromised usernames and hashed passwords associated with user accounts that were being used for remote access. Sophos also revealed that hackers may have exfiltrated local device admins, user portal accounts, and accounts used for remote access.

After discovering the breach, the firm began an investigation and deployed a hotfix to all supported XG Firewall/SFOS versions to eliminate the SQL injection vulnerability. The hotfix prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack.

Customers using compromised XG Firewall devices were also advised by Sophos to immediately download the hotfix, reset device administrator accounts, reset passwords for all local user accounts and reset passwords for any accounts where the XG credentials might have been reused.

UPDATE: Security researcher Graham Cluley  has shared a copy of the letter that Sophos sent to customers  to inform them about the latest data security incident:

Copyright Lyonsdown Limited 2020