The company said it was alerted to the misconfiguration by a security researcher, and that it fixed the issue immediately.
The outfit insists that only a “small subset” of the company’s customers were affected, with first and last names, email addresses and phone numbers thought to have been accessed. However, this is the second time this year that Sophos has been hit by a security leak, which is rather bad for a security company. The earlier attack came after cybercriminals exploited a zero-day vulnerability in the firms XG firewall in April. Attackers used this to deploy ransomware but were eventually foiled by the security firm.
Earlier this week Sophos began emailing those customers thought to have been affected.
“On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support”, an email to customers read.
It added that additional safeguards had now been implemented to ensure access permission settings can’t be exploited in the future.
“At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers. Additionally, we are implementing additional measures to ensure access permission settings are continuously secure.”