The Australian Securities and Investments Commission (ASIC) has been hit by a data breach which saw attackers gain access files relating to credit license applications.
On Monday ASIC announced the incident, which occurred on January 15, was related to a vulnerability in vendor Accellion’s legacy File Transfer Appliance (FTA) software.
The software, used for storing and sharing documents, was vulnerable to the common SQL injection attack vector where hackers gain access to hidden parts of a database or file system.
“While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor,” ASIC said in a statement.
“At this time ASIC has not seen evidence that any Australian credit license application forms or any attachments were opened or downloaded.
“No other ASIC technology infrastructure has been impacted or breached.”
According to a disclosure statement from Accellion, the FTA vulnerability was remedied “within 72 hours” of its discovery in December with patches rolled out to the small number of users still clinging onto the old file-sharing system.
ASIC’s data breach took place three days after Accellion publicly disclosed the vulnerability.
On January 10, the Reserve Bank of New Zealand announced it had suffered a data breach through its own Accellion FTA instance.
The central bank said it was “already in the process of implementing a new secure file transfer system” before the breach and apologised to stakeholders for the incident.
The Australian Cyber Security Centre issued an alert about the FTA vulnerability and offered advice for Australian organisations that included “[migrating] to currently supported products”.
Accellion itself has recommended FTA customers to upgrade to its more modern enterprise content firewall platform, Kiteworks.
