Sophos Alerts Customers Of Info Exposure After Security Breach
British cybersecurity and hardware company Sophos has emailed a small group of customers to alert them that their personal information was exposed following a security breach discovered on Tuesday.
The exposed customer data was accessible to unauthorized parties due to a misconfigured “tool” used by the company to store information by users who reached out to the company’s support team.
Only a small subset of customers affected
“On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support,” the company said in the notification email.
“As a result, some data from a small subset of Sophos customers was exposed. We quickly fixed the issue.”
Sophos did not provide any information on who discovered and disclosed the insecure storage tool or on the exact number of customers who had their personal info exposed due to this security breach.
The exposed data includes customers’ first and last names, email addresses, and their contact phone number if it was provided to Sophos Support.
The company also said that the customer support information is no longer exposed after remediation measures were taken to stop the data exposure.
“At Sophos, customer privacy and security are always our priority,” the cybersecurity firm added. “We are contacting all affected customers.”
“Additionally, we are implementing additional measures to ensure access permission settings are continuously secure.”
Not the first security incident this year
Earlier this year, Sophos fixed a zero-day SQL injection vulnerability in their XG Firewall following reports that hackers were actively exploiting it in attacks.
A new Trojan malware, dubbed Asnarök by Sophos researchers, exploited the zero-day to try and steal firewall usernames and hashed passwords from XG Firewall users starting with April 22, 2020.
The same Sophos XG firewall zero-day was also exploited in failed attempts to deliver Ragnarok Ransomware payloads onto companies’ Windows systems.
Update: A Sophos spokesperson told BleepingComputer that only “a small subset was affected in no specific region” and that “Sophos quickly fixed the issue.”
Privacy Ninja provides GUARANTEED quality and results for the following services:
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
PDPA Compliance Audit
Digital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy
PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit