The City of London Police arrested a Sage employee on Wednesday on suspicion of fraud.
Police arrested the 32-year old woman at Heathrow airport on Wednesday, almost a week after the company reported a data breach could have affected as many as 300 UK companies.
“The woman was arrested in connection with an alleged fraud against the company Sage. She has since been bailed,” the City of London Police said on Thursday.
Last week Sage warned customers that someone had gained unauthorised access to customer data using an internal login, though it was not clear whether the breach was carried out by employee or an outsider using employee login details.
The breach may have exposed personal and financial information on employees from firms affected.
“We continue to work closely with the authorities to investigate the situation,” Sage said after the arrest.
Sage has several million customers around the world, including Australia, and is a major software supplier to UK businesses. The company said the incident does not affect any customers outside of the UK.
Insider threats are not new to the enterprise, however detection based on deviations from the normal employee behaviour is tricky, in part due to the breadth of possible motivations.
The UK’s Centre for the Protection of National Infrastructure’s (CNPI) analysis of 120 UK-based insider cases between 2007 and 2012 found that 82 percent of incidents were carried out by males, and 18 percent by females. Nearly all perpetrators were permanent staff, while 60 percent of cases involved staff who had worked for the organisation for under five years.
CNPI's study identified financial gain as the leading top motivation for insider jobs, followed by ideology, desire for recognition, loyalties to entities outside the organisation. Just six percent were motivated revenge, though CNPI noted that malicious insiders often cited multiple motivations.
Verizon noted in its 2016 data breach report that inside jobs took the longest of all classes of breach to detect. Insiders most commonly abused privileged access to gain information for unsanctioned uses. Previous years’ reports have found that most insider threats used the local area network to inappropriately access data.