Pastelsecured released a press statement warning that a basic security flaw in the architecture of Sage Pastel Xpress, Sage Pastel Partner, Sage Pastel Partner Payroll, and Sage 5in1 Payroll has left the data of 200,000 users vulnerable to third parties.
“After seeing the financial data of 20-30 entities left exposed on a public FTP server whilst applying a patch to the Sage Pastel Partner Accounting system of a client, we started an investigation into the security of extremely sensitive financial data. The results were shocking,” said Pastelsecured.
“Within minutes after using client data such as that left in the public domain by Sage Pastel we had gained full access to the entire database and all financial information.”
According to Pastelsecured they could access payroll data, including bank account details of employees, and the details of their remuneration, income statements and balance sheets, cash book details and costing and pricing structures of the companies.
“In further investigations we also determined that the Sage Pastel financial data of any company will be easily accessible to a broad scope of people,” the company said.
Pastelsecured said that data that was compromised through theft or data that was sent offsite could be opened within two minutes.
“This represents an enormous crisis for any company using these products. Changing an accounting package is not easy and it is unlikely that this problem can be fixed quickly and even so the scope of the roll-out of such a patch is an enormous undertaking,” they said.
Pastelsecured is expected to announce the details of a solution that will enable users with internet access to keep using Pastel whilst simultaneously securing their data.
Sage Pastel taking immediate action
Sage Pastel Accounting and Sage Pastel Payroll & HR said that they are taking immediate action to address an issue with their internal processes that affects a very small minority of the 200,000 businesses that use its software.
“The issue relates to a public FTP server that Sage Pastel uses to provide support for users without service contracts in the event that they are experiencing data issues with their Sage Pastel software. 75% of Sage Pastel users have service contracts and hence do not use the server at all,” the company said.
This FTP site can only be accessed by Sage Pastel resellers who have been given a username and password to access the service.
“At any time, there are no more than 20 sets of customer data on the FTP server, or around 0.1% of the total Sage Pastel customer base that do not have service contracts with Sage Pastel,” the company added.
“A technically minded user with a client’s password and username would be able to—with some effort—access and copy that client’s data.”
To close this security gap, Sage Pastel is discontinuing the usage of the FTP server with immediate effect. “There is no reason to suspect that any client’s data has been compromised,” the company said.
“We thank Mr Pienaar for drawing this issue to our attention. Action has already been taken to address it,” said Sage Pastel Accounting MD Steven Cohen.
“At the same time, it is worth noting that only a tiny fraction of client data is on that server at any time, and only a technical person who already has a password and username would be able to access it,” said Cohen.
“Like any online business, we are mindful of the risks when a loophole in our internal processes is identified. We are in a digital age and recognise the need to keep pace with an evolving technology landscape. We are committed to following best practices in information security and to the continuous improvement of our internal processes and technology.”
“Threats to information and internal processes are nothing new. In the past, companies faced the risk that staff members could print out their financial reports, then leak them accidentally (by losing them) or on purpose (by handing them to competitors),” said Cohen.
“As such, companies and their service providers all need to be vigilant about their data and protect it with a holistic strategy that covers their people, processes and technology,” he concluded.