ASIC reports server breached via Accellion vulnerability

Credit licences accessed with Accellion identified as the weak point.

The Australian Securities and Investments Commission (ASIC) has said one of its servers was breached on January 15.

"This incident is related to Accellion software used by ASIC to transfer files and attachments," the corporate regulator said in a notice posted on the evening before a public holiday.

"It involved unauthorised access to a server which contained documents associated with recent Australian credit licence applications."

ASIC said while some "limited information" has been viewed, it did not see evidence that any application forms were downloaded or opened. The regulator said access to the server has been disabled and it was working on other arrangements.

"No other ASIC technology infrastructure has been impacted or breached," it added.

"ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident."

Accellion was also used as the vector to breach the Reserve Bank of New Zealand (RBNZ) earlier this month.

"We have been advised by the third-party provider that this wasn't a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised," the Bank said at the time.

In an update posted last week, Bank Governor Adrian Orr said the cause of the breach was "understood and resolved".

"Based on the results of our investigation and analysis to date we have been able to tell stakeholders which of their files on the File Transfer Application were downloaded illegally during the breach," he said.

"There are some serious questions that have been answered by the team at the Bank and there are more for the supplier of the system that was breached. That is the subject of an independent review by KPMG that is now underway."

RBNZ said it was already in the process of implementing a new secure file transfer system to be used with external stakeholders, and that work has been sped up.

For its part, Accellion said on January 12 that it had been aware of the vulnerability in its legacy File Transfer Application since mid-December, and had released a patch in 72 hours to the "less than 50 customers affected".

"Accellion FTA is a 20-year-old product that specialises in large file transfers," it said.

"While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to kiteworks, the modern enterprise content firewall platform, for the highest level of security and confidence."

Related Coverage