Global accounting giant Sage has been accused of misselling software after customers bought perpetual licenses for products that the vendor now says will require technical reasons to switch to a subscription model.
Earlier this month, The register revealed that Sage advised customers with small business software Sage 50 Accounts and Sage 50cloud Accounts v26.2 (published in 2020) or lower to switch to subscription software because these packages use Transport Layer Security 1.0 and 1.1 — dated versions of the security protocol.
Sage does not offer customers the option to patch or upgrade their software with a perpetual license. Those who have not switched to a subscription license by September 30 will lose access to their software and their data, according to a statement.
However, developers of a separate Sage platform, the cloud-based Intacct, were told in March 2018 to “make sure your application is configured to negotiate connections to TLS 1.2 or higher.”
The 2018 post explained, “Once Sage Intacct disables support for TLS 1.0 and 1.1, any browser or API access coming from a source that doesn’t support TLS 1.2 or higher will fail.”
Customers with perpetual licenses for Sage 50 accounts activated after this date claim that they actually mis-sold the software because Sage knew it was out of date with the communications protocol, knew it needed to be upgraded, and Sage planned to upgrade only available on a subscription license.
“[Sage] sold software to me with a perpetual license, knowing it will be invalid within an unknown period of time,” one customer told The register.
Users of the affected version of Sage 50 Accounts will see a pop-up window telling them to upgrade to 26.3 or 27, but when they try to download the software, only subscription options are available.
“They were fully aware of all this. They tell us to upgrade and they refuse to bid [the] very software they tell us to upgrade to,” the customer said.
In Sage . terms and conditions [PDF] when purchasing perpetual licenses, it says that users have the right to expect the software to be usable for 15 years, provided they keep their systems up to date.
In the meantime, The register understands that customers have received refunds for recently purchased upgrade packages, a refund of the remaining time of the 15-year perpetual license when they switch to the subscription model, and a free 12-month subscription.
Seen in correspondence by The registerSage seemed to admit that some customers had a right to expect their perpetual licenses to last longer than they will be.
Nevertheless, customers still claim they will be worse off with subscription licenses, even with the new offerings. A perpetual license might cost £650 (c$790), while a subscription for Sage 50cloud Professional costs £145 ($176) per month. A Sage 50cloud Standard subscription costs £72 (c$87) per month. Customers are likely to be worse off paying a subscription license after less than a year.
We’ve asked Sage to comment on new information seen by The register.
Earlier this month, a Sage spokesperson said: “TLS v1.0 and v1.1 is an industry-wide security protocol used to facilitate privacy and data security for communications over the Internet. The stability and security of the protocol is the core focus, not the The need to adapt a new protocol arose after the launch of our products and after the Internet Engineering Task Force (IEFT) formally discouraged its use.”
They added: “Sage communicated with its customers about this, the action to take and how we could support them. We will always prioritize the security of our products and protect customer data in accordance with the latest industry standards, today and for the future.”
We asked why Sage can’t update v24 and later to use TLS1.2 to verify software licenses and were told, “We recognize that our customers are affected in several ways by these changes to the TLS protocol. Providing temporary patches is Not the most effective solution in this case, but ensuring that the systems provided by Sage are constantly up to date is essential for businesses to operate effectively and securely.The required change is a simple process for customers with the latest versions of our software, and we are ready to support all customers to make the changes so that they are safe and have the best experience.”
When asked if customers would lose access to their data, the spokesperson said: “No. We have communicated with customers about the options available. If the customer upgrades to a compatible version of Sage 50 Accounts, they will continue to have access to their data. If they don’t want to upgrade, they can export their data before the September cut-off date. We understand this impacts customers in a variety of ways and our customer contact team is happy to discuss needs on an individual basis.”
The register asked Sage for comment and it sent this statement:
“Software platforms are built in different ways, so it is standard practice to be aware of upcoming security protocol changes and other technological changes in advance.
“The stability and security of the Transport Layer Security protocol is its core focus, not its age. The need to adapt a new protocol came after the launch of our Sage50 products and after the Internet Engineering Task Force ( IEFT) was formally discouraged from using it.
“Any customer with an active support contract or subscription will have free access to the latest version. We understand that this affects customers in different ways and our customer contact team is happy to discuss needs on an individual basis.” ®