INC-2025-002: Sophos Central Cross-Tenant Audit Log Exposure
Overview
A previously undetected issue in the Sophos Central audit logging system led to a limited number of cases in which email addresses or usernames belonging to one customer could appear in another customer's audit logs.
The issue occurred sporadically and was not widespread. The cause of the issue was a logging error and did not affect system functionality, the confidentiality of customer data, or broader security controls.
Once the root cause was identified, we released a fix to Sophos Central to remove the offending code and validation checks were put in place. A filter was also added to the Audit Log view to prevent any accidental data leakage across any affected tenants.
Impact
Audit log activity from one tenant was visible under a different tenant, affecting approximately 9,500 unique email addresses across 2100 Sophos Central customers.
Timeline
| Time | Event |
|---|---|
| December 2024 | Initial support case opened for anonymous logging entries referencing updates to website management settings. |
| January 2025 | Second customer support case opened for anonymous logging entries for global exclusions. |
| March 11, 2025 | Third customer case opened for anonymous logging entries. Correlation of these multiple support cases leads to deeper investigation of anonymous log entries outside the normal scope of the Sophos Central platform. |
| March 28, 2025 | Sophos Internal Detection and Response (IDR) team begins investigation. |
| March 31, 2025 | Sophos IDR identifies 44 unique description fields that potentially contain PII data. |
| April 2, 2025 | Root Cause Analysis received from Sophos Central platform development team. |
| April 5, 2025 | Fix released to Sophos Central platform, including filter for current audit logs. |
| April 10, 2025 | Sophos IDR report shared with Data Protection team to conduct data protection assessment. |
| April 10, 2025 | Incident severity raised and CISO notified. |
| April 15, 2025 | Data protection assessment completed. |
| April 18, 2025 | Notification sent to approximately 9,500 impacted email addresses. |
Analysis
In December 2024, a customer reported an audit log entry showing a configuration change made by an anonymous user in the Sophos Central product. An additional seven support cases related to anonymous log entries were opened between the initial case and March 2025. Anonymous entries areconsistent with certain logging events when a Central feature or product refers to an internal Sophos system/workflow.
Further examination of open cases in mid-March triggered a deeper investigation, which identified a broader issue. In certain cases, audit log entries were being incorrectly attributed across customer environments.
Specifically, actions performed by one customer could appear in another customer’s audit logs, as if those actions were their own. This was not the result of unauthorized access or a data breach, but a misattribution that occurred during the generation of the log entries. As a result, audit logs in some cases did not accurately reflect the activity of the viewing customer.
Example Scenario:
- Customer A performs the action 'DELETE'.
- The 'DELETE' audit log is written with Customer B’s UID in the audit log.
- Customer B views their audit logs and sees the 'DELETE' message from Customer A’s activity, as if it were their own, and Customer A will not see audit log messages for the actions they took.
- Additionally, the ‘Item modified’ column of Customer B’s audit log would contain email addresses or usernames belonging to Customer A.
We identified the root cause as a code change that prevented the tenant ID value from being properly updated when an audit log message was written. The logging mechanism checked to see if a tenant ID was set. If it was, it did not overwrite that ID with the current tenant ID. There was a bug where some logging events did not clear the tenant ID when finished, leading to the logger writing the event with the wrong tenant ID. Consequently, stale or incorrect tenant IDs were used to write and attribute the audit log messages.
The fix was to ensure all logging events clear the tenant ID properly when finished, and for new logging events to overwrite the tenant ID with the correct one if it is already populated ensuring all logging events are written with the correct tenant ID.
Resolution
Immediate actions
On April 5, 2025, we rolled out fixes to resolve all instances of this issue and prevent any recurrence in the future. We removed the faulty code and replaced it with a validation check, introduced in Sophos Central Platform version 2025.14.
To ensure accurate and reliable logging, we identified all erroneous log entries and removed them from customers' accounts.
Following completion of the Data Protection Assessment, we notified approximately 9,500 impacted email addresses.
Longer Term Actions
We are developing additional measures to further prevent and detect similar issues in the future, ensuring our systems continue to operate securely and reliably.
If you have further questions or feel you require assistance related to this incident, please contact Sophos Support using any of the options below.
- Sophos Support Portal
- Phone Sophos Support (24/7)
- Submit a case: Log into the Support Portal and click Help -> Create Support Ticket
- MDR customers: Please reach out via your MDR dashboard or directly to your assigned Sophos threat response contact.