Cybersecurity firm Sophos has confirmed it experienced a data incident that caused thepersonal information of some users to be exposed to third parties.
Describing the incident in an email notification sent to affected customers, Sophos said the data was exposed through a tool used by customer support. The tool stores full names, email addresses and phone numbers (if provided) from people contacting customer support, and that data was left exposed due to a misconfiguration in the tool.
The company did not say exactly which tool was misconfigured, or how many people were actually affected. It only said it remedied the problem and that the data is no longer accessible to the unauthorized. Talking to Bleeping Computer, the company’s spokesperson said only a small subset of customers, from no specific region, was affected.
“On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support,” the email reads. “As a result, some data from a small subset of Sophos customers was exposed. We quickly fixed the issue.”
The company also added that it is implementing “additional measures” to make sure access permission settings are continuously secure, without going into further details.
In late April this year, Sophos found and remedied a zero-day SQL injection found in its XG Firewall, after news started surfacing of hackers exploiting it in the wild.