On 15 January 2021, the Australian Securities and Investments Commission (ob体育) became aware of a cyber security incident related to a server used by ob体育.
The incident
On 28 December 2020, an unidentified threat actor accessed an ob体育 server containing attachments to Australian credit licence applications submitted to ob体育 between 1 July 2020 and 28 December 2020.
The cyber incident occurred due to a vulnerability in a file transfer appliance (FTA) provided by California-based Accellion and previously used by ob体育 to receive attachments to Australian credit licence applications.
ob体育 engaged independent cyber experts to undertake a forensic investigation. Their analysis has confirmed there is no evidence that the attachments to credit licence applications have been read or downloaded. This has not changed.
We were of the view in January 2021 that the filenames of these attachments may have been viewed.
However, following additional analysis performed by ob体育鈥檚 independent cyber experts, it is highly unlikely that the threat actors accessed any data held on the ob体育 server, including filenames of the attachments related to Australian credit licence applications submitted to ob体育 between 1 July 2020 and 28 December 2020.
Our response
In response to the incident, ob体育 has:
- disabled聽the relevant server;
- ascertained聽that no other ob体育 information technology (IT) infrastructure is impacted;
- provided聽alternative arrangements for submitting attachments (see below);
- written聽to all identified credit licence applicants (via the contact email address聽nominated by the applicant) to advise and update them about the incident;
- assessed the incident in accordance with our obligations under the Privacy Act聽1988;
- informed聽relevant authorities; and
- engaged independent cybersecurity experts to complete a forensic investigation.
Who to contact
ob体育 has written directly to impacted parties. If you require additional information, please email [email protected]
Frequently asked questions
For more information, download .