Global accounting giant Sage is facing accusations it mis-sold software after customers bought perpetual licenses for products the vendor now says must move to a subscription model for technical reasons.
earlier this month, The Register revealed Sage was advising customers with small business software Sage 50 Accounts and Sage 50cloud Accounts v26.2 (published 2020) or below to move to subscription software because these packages use Transport Layer Security 1.0 and 1.1 – dated versions of the security protocol.
Sage is not offering customers the ability to patch or upgrade their software on a perpetual license. Those who have not moved to a subscription license by 30 September will lose access to their software and their data, according to a statement.
However, developers on a separate Sage platform, the cloud-based Intacct, were told in March 2018 to “Ensure your application is configured to negotiate connections using TLS 1.2 or higher.”
The 2018 post explained: “Once Sage Intacct disables support for TLS 1.0 and 1.1, any browser or API access originating from a resource that does not support TLS 1.2 or higher will fail.”
Customers with Sage 50 Accounts perpetual licenses activated after this date are arguing they were effectively miss the software because Sage knew it to be out of date with the communications protocol, knew it would need to be upgraded, and Sage planned to only offer that upgrade on the subscription license.
“[Sage] have sold a software to me on a perpetual license knowing that it’s going to be invalid within an unknown period of time,” one customer told The Register.
Users of the affected version of Sage 50 Accounts get a pop-up dialog box telling them to upgrade to 26.3 or 27, but when they try to download the software, only subscription options are available.
“They had full knowledge of this all happening. They are telling us to upgrade and they’re refusing to provide [the] very software they’re telling us to upgrade to,” the customer said.
In Sage’s terms and conditions [PDF] accompanying perpetual license purchases, it says users have a right to expect the software to be usable for 15 years provided they keep their systems up to date.
meanwhile, The Register understands that customers have been offered refunds on recently purchased upgrade packages, a refund of time remaining on the 15-year perpetual license when they move to the subscription model, and a 12-month free subscription.
In correspondence seen by The RegisterSage appeared to admit some customers had the right to expect their perpetual licenses to be valid for a longer period than they will be.
Nonetheless, customers are still arguing they will be worse off under subscription licenses, even with the new offers. A perpetual license might cost £650 (c $790) while a subscription for Sage 50cloud Professional costs £145 ($176) per month. A Sage 50cloud Standard subscription costs £72 (c $87) per month. Customers are likely to be worse off paying the subscription license after less than a year.
We have asked Sage to comment on new information seen by The Register.
Earlier this month, a Sage spokeperson said: “TLS v1.0 and v1.1 is an industry-wide security protocol that is used to facilitate privacy and data security for communications over the internet. The stability and security of the protocol is the core focus, not the age of it. The need to amend a new protocol occurred following the launch of our products and after the Internet Engineering Task Force (IEFT) formally discouraged the use of it.”
They added: “Sage communicated with its customers about this, the action they needed to take, and how we could support them. We will always prioritize the security of our products and protect customer data in accordance with the latest industry standards, today and for the future.”
We asked why Sage can’t update v24 and after to use TLS1.2 to verify software licensing, and were told: “We recognize that due to these changes to the TLS Protocol, our customers will be impacted in different ways. Providing temporary patches is not the most effective solution in this instance, but ensuring that the systems provided by Sage are continually up to date is key for businesses to operate effectively and securely. and we are ready to support all customers to make the changes so they are secure and have the best experience.”
When asked whether customers would lose access to their data, the spokesperson said: “No. We have communicated with customers about the options available to them. If the customer upgrades to a compatible version of Sage 50 Accounts, they will continue to access their data . If they do not wish to upgrade, they can export their data before the cut-off date in September. We appreciate this will impact customers in different ways and our customer contact team is happy to discuss needs on an individual basis.”
The Register asked Sage to comment and it felt this statement:
“Software platforms are built in different ways and as such giving prior notice to upcoming changes in terms of security protocols and other technological changes is standard practice.
“The stability and security of The Transport Layer Security protocol is the core focus, not the age of it. The need to amend a new protocol occurred following the launch of our Sage50 products and after the Internet Engineering Task Force (IEFT) formally discouraged the use of it.
“Any customer with an active support contract or subscription has access to the latest version without any cost to them. We appreciate this will impact customers in different ways and our customer contact team is happy to discuss needs on an individual basis.” ®