NSW Health confirms data breached due to Accellion vulnerability

NSW Health is the latest Australian government entity to confirm being impacted by a vulnerability in the Accellion file transfer system.
Written by Asha Barbaschow, Contributor

New South Wales Health has confirmed being impacted by a cyber attack involving the file transfer system owned by Accellion.  

The system was widely used to share and store files by organisations around the world, including NSW Health, the government entity said on Friday afternoon.

"Following the NSW government's advice earlier this year around a world-wide cyber attack that included NSW government agencies, NSW Health is notifying people whose data may have been accessed in the global Accellion cyber attack," it said in a statement.

The state entity said medical records in public hospitals were not affected and the software involved is no longer in use by NSW Health.

"Different types of information, including identity information and in some cases, health-related personal information, were included in the attack," it added.

NSW Health said it has been working with NSW Police and Cyber Security NSW and that to date, there is no evidence any of the information has been misused.

See also: How NSW Health used tech to respond to COVID-19

"A cyber incident help line has been set up to provide further information and support to those people NSW Health is contacting," it said. "If you are contacted by NSW Health, you will be given the cyber incident help line details; if you are not contacted by NSW Health, no action is required."

The NSW Police Force and Cyber Security NSW have set up Strike Force Martine to determine the impact on NSW government agencies that were caught up in the attack on Accellion.

Accellion's file-sharing program, File Transfer Appliance, is an enterprise product used to transfer large files. While now discontinued and supplanted by other software such as Kiteworks, a zero-day vulnerability in the legacy software was found in December and has since been exploited by attackers in the wild. 

It is estimated that some 100 organisations around the world were among those affected by the breach.

Transport for NSW in February confirmed being caught up in the breach.

The Australian Securities and Investments Commission (ASIC) in January said one of its servers was breached earlier in the month in relation to Accellion software used by the agency to transfer files and attachments.

Accellion was also used as the vector to breach the Reserve Bank of New Zealand (RBNZ) in January.


Editorial standards