The company said it was alerted to the misconfiguration by a security researcher, and that it fixed the issue immediately.
However, a "small subset" of the company's customers were affected, with first and last names, email addresses and phone numbers thought to have been accessed. Earlier this week Sophos began emailing those customers thought to have been affected.
"On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support," an email to customers read, as seen by ZDNet.
It added that additional safeguards had now been implemented to ensure access permission settings can't be exploited in the future.
This is the second major security incident in 2020 for Sophos after cyber criminals exploited a zero-day vulnerability in the firms XG firewall in April. Attackers used this to deploy ransomware but were eventually foiled by the security firm.
Leadership compass: Privileged Access Management
Securing privileged accounts in a high-risk environment
"At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers," the company said. "Additionally, we are implementing additional measures to ensure access permission settings are continuously secure."
While the breach may cause some embarrassment for Sophos, the incident will unlikely lead to any major consequences for its customers or regulatory action for the company itself, according to Ilia Kolochenko, founder & CEO of web security company ImmuniWeb.
"No highly sensitive information, such as banking, health or credit card data, was reportedly exposed," Kolochenko told IT Pro. "Moreover, many users that approach support, commonly use central phone numbers or even fake emails that are of not much value to hackers. Sophos's open reaction to the incident seems to be swift and professional, taking accountability for the incident with adequate mitigation.
"Compared to the countless data breaches with disastrous consequences in 2020, this minor incident will unlikely to attract the attention of law enforcement agencies or regulatory authorities."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.
Bobby mainly covers hardware reviews, but you will also recognise him as the face of many of our video reviews of laptops and smartphones.