UK business software firm Sage has been hit by a data breach that might have compromised the personal information for employees of 280 UK businesses. Listed on the FTSE 100, the Newcastle-based company provides business software for accounting, payroll and payment services to companies across 23 countries.
"We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation," the company said in a statement on its UK homepage. "Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security."
The company did not specify whether the "unauthorised access" of information, which was reportedly accessed sometime over the past few weeks, was stolen or just viewed. However, a person "familiar with the situation" told the Financial Times that a Sage employee's login details were used to gain access to the sensitive information, potentially affecting a "maximum of between 200 and 300 companies."
"We cannot comment further whist we work with the authorities to investigate but our customers remain our first priority and we are speaking directly with those affected," a Sage spokesperson said, BBC reports.
The breach is currently being investigated by the City of London while the Information Commissioner's Office (ICO), which is responsible for the enforcement of the Data Protection Act 1998, has been informed as well.
If the ICO finds evidence of negligence on the company's part, the authority could take serious action against the firm including criminal prosecution, a company audit or non-criminal enforcement, according to the BBC.
"The law requires organisations to have appropriate measures in place to keep people's personal data secure," the ICO said. "Where there's a suggestion that hasn't happened, the ICO can investigate, and enforce if necessary."
The latest breach comes at the heels of multiple data breaches including an attack on Oracle's Micros point-of-sale credit card payment systems earlier this month, allegedly carried out by Russian cybercrime group Carbanak Gang. The same month, thousands employee accounts of Google, Apple, Intel and other tech companies were reportedly stolen by hackers from a developer's forum.
In October, nearly 157,000 TalkTalk customers personal details were exposed in a much-publicised cyberattack on the telecom company that cost the firm about £60m ($78m) and a loss of 101,000 customers.