Sophos suspends partner portal following "suspicious activity"
Security vendor taking "super-paranoid" approach after finding two unauthorised programs on its partner portal web server
Sophos has temporarily taken its partner portal offline in response to a potential data breach.
The security vendor emailed partners this morning informing them that it had discovered "suspicious activity" on the Sophos Partner Portal network, more information about which can be found here.
There is no evidence that any data has been compromised and the decision to suspend partner logins to the site is precautionary, Sophos stressed.
However, James Lyne, director of technology strategy at Sophos, said the firm is taking a "super-paranoid" stance on the matter.
He told ChannelWeb: "At the moment, I do not believe there is going to be anything more to this but we need to complete our forensic process to be 100 per cent sure. We are checking through our logs, security controls and firewalls and going through absolutely everything to make sure there is not a problem."
In the email, Sophos recommended that partners change all other passwords they share in common with the one they used for the portal. Partners will be able to use the portal again on completion of the forensic audit.
For those partners who have moved onto the new SFDC-based partner portal, this site was not compromised so there is no need to reset those passwords, Sophos said.
Suspicious activity
Sophos discovered the suspicious activity on the main web server that serves its partner portal on Tuesday. It said two unauthorised programs were found on the server, with preliminary investigations indicating that they were designed to allow unauthorised remote access to information.
Data included in the server's databases includes partners' names and business addresses, email addresses, contact details and hashed passwords.
"We do not currently know if email addresses were accessed by any unauthorised persons, but if they were, it is possible that partners may find they are targeted by phishing emails purporting to come from Sophos or other targeted attacks," Sophos said.
"We realise that the site's downtime and the forced password resets may be an overreaction and are sorry for the disruption this will cause, but we would rather cause some inconvenience at this stage than delay as we wait for further information.
"Again, we apologise for the inconvenience caused and will continue to take every precaution in protecting partners' data."
Martin Hellawell, managing director of Sophos partner Softcat, said he was concerned that deal registration data could have been compromised. "The portal shows all the projects you have coming up and I would be a bit nervous if that bit of information got into the wider world," he said.
Lyne said the next major update would come on Tuesday, unless there is anything more serious to report in the interim.