A 32-year-old woman has been arrested and bailed in connection with the data breach at accountancy software firm Sage.
City of London Police confirmed that the woman was arrested at Heathrow Airport on "suspicion of conspiracy to defraud" and is a current employee of the company.
The arrest comes two days after Sage admitted to a data breach when "unauthorised access" was gained by someone using an internal company log-in.
Sage said that the personal information of employees at 280 organisations in the UK were compromised as a result of the attack.
"We believe there has been some unauthorised access using an internal log-in to the data of a small number of our UK customers, so we are working closely with the authorities to investigate the situation," Sage said in a statement released over the weekend.
The company has informed the Information Commissioner's Office and the City of London Police.
Sage did not reveal any further information about the breach, whether or how the data was obtained, how many people might be affected, the information that may have been compromised or even the services that were cracked.
The statement also raises questions about the security and monitoring of the company's authentication mechanisms. Sage did not say whether the breach was performed by a current or former employee, or whether the log-in credentials were compromised in some way.
Sage has around six million SMB customers around the world, and the unauthorised access of 280 customer accounts therefore represents only a small proportion of its total customer base. The company claimed that only UK-based customers were affected.
Thomas Fischer, threat researcher and global security advocate at Digital Guardian, laid the blame squarely at Sage's door, suggesting that the company's security was inadequate.
"It appears that the Sage breach came from an insider. Insider threats are almost always preventable if the right people-management processes and tools are in place," he said.
"This is the case even if the employee is a so-called reluctant insider, meaning that, for example, an external party has compromised their account.
"Sage also claims that it's currently unsure how the data was compromised. Again, with the proper investments in IT security this should be easily controllable and identifiable in a very short period of time."
The admission of a security breach at Sage comes after a week of revelations from retail systems vendors that appear to have been targeted by a gang of Russian hackers.
Oracle revealed last week that a serious breach at its MICROS subsidiary led to the firm having to remove malicious code from legacy retail systems software.
It emerged later in the week that five other retail systems vendors had also been attacked, although none of them admitted to a breach of the same severity as at Oracle.
V3 has sent a series of probing questions to Sage this morning and will update this story as soon as the company responds.
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away