Important message to Phase 3 customers about our cyber security
It has been widely reported in the media yesterday (05.06.23) and today (06.06.23) that a number of UK Payroll providers have been impacted by the vulnerabilities in MOVEit Transfer. I can confirm and offer assurance that Phase 3 has not been impacted by this vulnerability.
What was the vulnerability?
In MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
The MOVEit application is used by a number of UK organisations in the payroll processing function, however Phase 3 are not a customer of MOVEit and have never used this application.
How do Phase 3 protect against similar attacks?
Phase 3 follow the best practice highlighted in the Cyber Essentials and ISO27001 frameworks. Our internal processes ensure our data processing is handled extremely sensitively given the highly confidential nature of the data we process. Our team are regularly trained and updated on cyber security and our processes rely on Microsoft and SFTP for the transfer of data depending on the client’s preference. All of our teams have complex passwords, two factor authentication and regular updates on passwords.
Additionally, our supply chain management process ensures that any supplier of Phase 3 software or services adheres to the same level of standards that we expect. In particular with our cloud-based payroll software our suppliers are regularly audited by Phase 3 and external auditors to ensure their data security practices and controls are robust and penetration testing is carried out regularly and the reporting reviewed.
Phase 3 also have a detailed Cyber Attack Response plan and a supplier to assist with a security incident response plan should the worst ever happen.
What have we learned from this latest information security incident?
We are aware that the point of file transfer is a common vulnerability if not managed correctly. Our teams utilise the Microsoft Azure Guest Access to grant access to a named shared folder within our network and create users with two factor authentication to share data, once shared the data is removed from the shared files.
For clients who prefer SFTP transfer, we have SFTP sites created to share data which again is wiped following the transfer of the data to reduce the potential for unauthorised access.
Statement authorised by: James Proctor, Chief Operating Officer
Date: 06.06.23