TechCentralTechCentral
    Facebook Twitter YouTube LinkedIn
    Facebook Twitter LinkedIn YouTube
    TechCentralTechCentral
    NEWSLETTER
    • News

      Fixing SA’s power crisis is not complex: it simply takes the will to do better

      12 August 2022

      Consortium makes unsolicited bid for state’s 40% stake in Telkom

      12 August 2022

      Actually, solar users should pay more to access the grid – here’s why

      12 August 2022

      Telkom says MTN talks remain on track

      12 August 2022

      Analysis | Rain muddies the waters with approach to Telkom

      11 August 2022
    • World

      Tencent woes mount, even after $560-billion selloff

      12 August 2022

      Huawei just booked its first sales rise since US blacklisting

      12 August 2022

      Apple remains upbeat about iPhone sales even as Android world suffers

      12 August 2022

      Ether at two-month high as upgrade to blockchain passes major test

      12 August 2022

      Gaming industry’s fortunes fade as pandemic ends

      11 August 2022
    • In-depth

      African unicorn Flutterwave battles fires on multiple fronts

      11 August 2022

      The length of Earth’s days has been increasing – and no one knows why

      7 August 2022

      As Facebook fades, the Mad Men of advertising stage a comeback

      2 August 2022

      Crypto breaks the rules. That’s the point

      27 July 2022

      E-mail scams are getting chillingly personal

      17 July 2022
    • Podcasts

      Qush on infosec: why prevention is always better than cure

      11 August 2022

      e4’s Adri Führi on encouraging more women into tech careers

      10 August 2022

      How South Africa can woo more women into tech

      4 August 2022

      Book and check-in via WhatsApp? FlySafair is on it

      28 July 2022

      Interview: Why Dell’s next-gen PowerEdge servers change the game

      28 July 2022
    • Opinion

      No reason South Africa should have a shortage of electricity: Ramaphosa

      11 July 2022

      Ntshavheni’s bias against the private sector

      8 July 2022

      South Africa can no longer rely on Eskom alone

      4 July 2022

      Has South Africa’s advertising industry lost its way?

      21 June 2022

      Rob Lith: What Icasa’s spectrum auction means for SA companies

      13 June 2022
    • Company Hubs
      • 1-grid
      • Altron Document Solutions
      • Amplitude
      • Atvance Intellect
      • Axiz
      • BOATech
      • CallMiner
      • Digital Generation
      • E4
      • ESET
      • Euphoria Telecom
      • IBM
      • Kyocera Document Solutions
      • Microsoft
      • Nutanix
      • One Trust
      • Pinnacle
      • Skybox Security
      • SkyWire
      • Tarsus on Demand
      • Videri Digital
      • Zendesk
    • Sections
      • Banking
      • Broadcasting and Media
      • Cloud computing
      • Consumer electronics
      • Cryptocurrencies
      • Education and skills
      • Energy
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Motoring and transport
      • Public sector
      • Science
      • Social media
      • Talent and leadership
      • Telecoms
    • Advertise
    TechCentralTechCentral
    Home»News»Sage Pastel flaw exposes customer data

    Sage Pastel flaw exposes customer data

    News By Regardt van der Berg28 May 2014
    Facebook Twitter LinkedIn WhatsApp Telegram Email
    Steven Cohen
    Steven Cohen

    A security report released by IT consultant Johan Pienaar claims accounting software firm Sage Pastel left customer data exposed on an FTP server used by its technical support department to assist clients when they encounter problems with its software.

    Founded in 1989, Sage Pastel is a large South African developer of payroll, enterprise resource planning and accounting software for business. The company has more than 200 000 customers, many of which entrust it with sensitive and confidential financial information.

    Speaking to TechCentral, Pienaar explains that his small and medium business consultancy, IT Lounge, has a number of clients using Sage Pastel. He recently became aware of the FTP flaw when he placed a support call to the company. He encountered a compatibility problem with one of Sage Pastel’s add-ons, to which the support team responded with a beta version of a patch to fix the issue.

    The document sent to Pienaar from the support desk was an outdated Microsoft Word document last amended in 2009 according to the file’s meta data. “It was evident that the password has not been updated since 2009 and any information that was placed on the FTP server has been available for download to any user who, in the six years since, has received support requiring a download from Sage Pastel.”

    When Pienaar logged onto the FTP server, he discovered that along with support files, such as the patch he needed, was accounting data for “20 or 30 companies”.

    Some of this data was uploaded as recently as last week, he says. It was also not secured. “The data tables were not protected at all.”

    Using a software tool, which is included with every copy of Sage Pastel, these database tables can be read, he adds. This method could also be used to reset customer passwords.

    Watch a video Johan Pienaar put together explaining the vulnerability:

    Sage Pastel MD Steven Cohen says 75% of the company’s clients are on service contracts that use a secure Dropbox-like service to host data when it is used for support purposes. “Those that are not on contract send us their data via FTP, to which we supply the login details.”

    Cohen says the FTP server can only be accessed by Sage Pastel resellers who have been given a username and password to access the service. “Unfortunately, this site hosted other people’s data,” he says, adding that it was visible to another user logged into the FTP server. “At any one time, there are probably 20 sets of data hosted on this server.”

    Sage Pastel has since shut down the FTP site and in future will host all of the support data via a secure website.

    Although Cohen says it is illegal to access other customers’ data on the FTP server, he agrees that it was an oversight by the company not employ more secure means.

    “We have been working with Microsoft over the last two months on the Azure cloud platform where we want to start hosting our data because that would be more secure.”  — © 2014 NewsCentral Media

    Johan Pienaar Pastel Sage Pastel Steven Cohen
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email
    Previous ArticleEveryone wants to be a monopoly
    Next Article SA telecoms CEOs upbeat on growth

    Related Posts

    Fixing SA’s power crisis is not complex: it simply takes the will to do better

    12 August 2022

    Consortium makes unsolicited bid for state’s 40% stake in Telkom

    12 August 2022

    Actually, solar users should pay more to access the grid – here’s why

    12 August 2022
    Add A Comment

    Comments are closed.

    Promoted

    Get your brand in front of TechCentral’s amazing audience

    12 August 2022

    Pricing Beyond CMYK: printers answer the FAQs

    11 August 2022

    How secure is your cloud?

    10 August 2022
    Opinion

    No reason South Africa should have a shortage of electricity: Ramaphosa

    11 July 2022

    Ntshavheni’s bias against the private sector

    8 July 2022

    South Africa can no longer rely on Eskom alone

    4 July 2022

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2022 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.