Digital burglars break into the Australian Securities and Investments Commission

Miscreant fingered server that held docs related to credit applications down under


The Australian Securities and Investments Commission (ASIC) has admitted one of its servers was accessed without sanction and may have been digitally pawed by miscreants.

The country's company and financial services regulator became aware of the incident on 15 January, which it said was "related to Accellion software used by ASIC to transfer files and attachments."

The attack involved a server containing documents associated with Australian credit applications and the commission warned that "some limited information may have been viewed by the threat actor." ASIC was at pains to add that it hadn't seen evidence of the forms and attachments being opened or downloaded.

That said, ASIC has still disabled access to the affected server and is working on "alternative arrangements" for the submitting of credit application attachments. The Aussie government agency reckons that none of its other infrastructure had been breached.

The commission is working with Accellion and cyber security advisors to deal with the incident and notify those impacted.

ASIC is not alone. On 11 January, the Reserve Bank of New Zealand (RBNZ) gave its own response to "a breach of a third party file sharing service" provided by Accellion. The RBNZ noted that the sharing service had been illegally accessed and it had taken the system offline while investigations continued.

The governor of the RBNZ, Adrian Orr, said: "We have been advised by the third party provider that this wasn't a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised."

Accellion had been made aware of a vulnerability in its legacy File Transfer Appliance (FTA) back in December had swiftly issued a patch "to the less than 50 customers" it said were affected. FTA is 20 years old, according to Accellion, and the company advised those using it to upgrade to something a little more modern.

An Accellion spokesperson told The Register that ASIC's incident was "related to the previously reported and patched FTA vulnerability."

The breach is the latest in a series seen over recent months.

Jake Moore, cybersecurity specialist at ESET, said: "Government breaches are likely to occur more than you might think, as their infrastructure is often outdated. Funding can be difficult to come by and sometimes decision-makers wrongly assess the level of risk. However, although governments may seem like an easy target to certain threat actors, the rewards for a breach are usually not as lucrative as with private organisations.

"Governments are not so easily swayed into paying big demands to criminals due to their lack of funds, not to mention the public audience. Such financial demands are also even more difficult to sign off, so the motivation behind government attacks are often linked to other factors and political motives.

"The key for government organisations to thwart such attacks is to keep abreast of the latest attack vectors and continually train staff to be aware of threats. No one piece of software can completely put a stop to the attacks, but such risk of an attack should never be undermined by those making the decisions." ®


Keep Reading

Australia facepalms as Facebook blocks bookstores, sport, health services instead of just news

Reg writer on the spot reports that life without news links on The Social Network™ is just fine

Sunday: Australia is shocked UK would consider tracking mobile data to beat pandemic. Monday: Australia to deploy drone intimidation squads

Updated Bloody poms are full of great ideas

Australia wants Google to jump higher and sweat before it can buy Fitbit

Ad giant’s promise to play nice with other exercise gadgets accepted in Brussels, deferred down under

Facebook and Australia do a deal: The Social Network™ will restore news down under and even start paying for it

ANALYSIS Relationship status changes from ‘Separated’ to somewhere between 'In a Domestic Partnership’ and 'It's Complicated'

Australia mostly sticks to its guns in final plan to make Google and Facebook pay news publishers

YouTube and Instagram exempted, Bill kicked into committee for a while

Mark Zuckerberg and Sundar Pichai get back on the phone with Australia for more pay-for-news talks

Compulsory arbitration code clears committee without amendments, but cracks show as one major local signs big Google deal

Australia to track coronavirus encounters with payment card records

Plan calls to link government data across jurisdictions, even sharing airline records to track outbreaks and people who may be at risk of infection

Epic Games brings its Fortnite fight with Apple to Australia

+Comment Why Australia? Because it’s currently running an inquiry into app store monopolies, that's why

Biting the hand that feeds IT © 1998–2021