Cyber Security

Cyber Security

Important message to Phase 3 customers about our cyber security

It has been widely reported in the media yesterday (05.06.23) and today (06.06.23) that a number of UK Payroll providers have been impacted by the vulnerabilities in MOVEit Transfer. I can confirm and offer assurance that Phase 3 has not been impacted by this vulnerability.

What was the vulnerability?

In MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.

NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

The MOVEit application is used by a number of UK organisations in the payroll processing function, however Phase 3 are not a customer of MOVEit and have never used this application.

How do Phase 3 protect against similar attacks?

Phase 3 follow the best practice highlighted in the Cyber Essentials and ISO27001 frameworks. Our internal processes ensure our data processing is handled extremely sensitively given the highly confidential nature of the data we process. Our team are regularly trained and updated on cyber security and our processes rely on Microsoft and SFTP for the transfer of data depending on the client’s preference. All of our teams have complex passwords, two factor authentication and regular updates on passwords.

Additionally, our supply chain management process ensures that any supplier of Phase 3 software or services adheres to the same level of standards that we expect. In particular with our cloud-based payroll software our suppliers are regularly audited by Phase 3 and external auditors to ensure their data security practices and controls are robust and penetration testing is carried out regularly and the reporting reviewed.

Phase 3 also have a detailed Cyber Attack Response plan and a supplier to assist with a security incident response plan should the worst ever happen.

What have we learned from this latest information security incident?

We are aware that the point of file transfer is a common vulnerability if not managed correctly. Our teams utilise the Microsoft Azure Guest Access to grant access to a named shared folder within our network and create users with two factor authentication to share data, once shared the data is removed from the shared files.

For clients who prefer SFTP transfer, we have SFTP sites created to share data which again is wiped following the transfer of the data to reduce the potential for unauthorised access.

Statement authorised by: James Proctor, Chief Operating Officer

Date: 06.06.23

Our values form the foundations of everything we do at Phase 3. They are the driving force behind our great culture and inform how we act, the decisions we make and how we work with our clients.

Cyber Security icon

Dedicated expert consultants who specialise in people technology.

Cyber Security icon

No referral fees, no one pays us to refer clients to them.

Cyber Security icon

We'll provide consistent, committed professionalism in an open and honest environment.

Cyber Security icon

We don’t believe in fixed packages - we recognise your differences. Our proposals are all unique.

Cyber Security icon
Knowledge Sharing

We’ll upskill your inhouse team. We’ll teach them what we know!

We’re proud to be partnered with...
Brain payroll logo
Sign up for our latest updates!