Australian Securities Regulator Discloses Security Breach

The Australian Securities and Investments Commission (ASIC) has revealed that one of its servers has been accessed by an unknown threat actor following a security breach.

ASIC is an independent Australian government commission tasked with the regulation of insurance, securities, and financial services, as well with consumer protection as Australia’s national corporate regulator.

The commission also maintains a searchable database of business information for several types of organizations. The stored data includes both current and historical info including but not limited to addresses and office locations.

A single server affected by the breach

As ASIC disclosed the incident that took place on January 15th, 2021, is related to Accellion software the commission uses to transfer information.

“It involved unauthorised access to a server which contained documents associated with recent Australian credit licence applications,” ASIC said.

“While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor.

“At this time ASIC has not seen evidence that any Australian credit licence application forms or any attachments were opened or downloaded.”

In response to the security breach, ASIC has disabled access to the impacted server and is working on providing an alternative credit application submission channel.

The Australian securities regulator is working on bringing the impacted systems back online and on a forensic investigation of the attack with the help of external cybersecurity experts.

The commission said that no other systems besides the affected server have been reached or impacted in the incident.

Also Read: What Is A Governance Framework? The Importance And How It Works

ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident. – ASIC

Other Accellion customers breached or exposed to attacks

The New Zealand Reserve Bank also disclosed earlier this month that they suffered a data breach after an attacker compromised a file sharing service containing sensitive data, powered by Accellion’s FTA (File Transfer Application).

This is a legacy service deployed on-premise to allow users to share large and sensitive files with external recipients securely.

The vulnerability used to hack New Zealand Reserve Bank’s file sharing service was patched by Accellion on Christmas Eve.

“Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected,” the company said in a press release.

Based on these numbers, dozens of other targets might have been compromised by exploiting the same vulnerability.

According to BleepingComputer’s cybersecurity industry sources, Accellion released the patch on December 24th, and the Reserve Bank of New Zealand suffered the breach on December 25th.

Also Read: 5 Self Assessment Tools To Find The Right Professional Fit

Even though Accellion still provides support for the legacy FTA service, it has also been urging customers to migrate to the new Kiteworks platform since at least December 2019.