ASIC hit with cyber attack

ASIC has announced that it was the victim of a cyber attack involving unauthorised access to a server that contained information relating to Australian credit licence applications – and that there is “some risk” that limited information may have been viewed by the attacker.

“As a precaution, and to protect information and systems, ASIC has disabled access to the affected server … ASIC’s IT team and cyber security advisers engaged by ASIC are undertaking a detailed forensic investigation and working to bring systems back online safely,” ASIC said.

ASIC became aware of the attack on 15 January but waited until late on Monday, 25 January to make an announcement. The regulator did not employ its usual email blast to inform market participants that it had been compromised.

The attack exploited a vulnerability in Accellion software the regulator used to transfer files and attachments. Top tier law firm Allens and the Reserve Bank of New Zealand suffered similar attacks using the same exploits in early January.

“While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor. At this time ASIC has not seen evidence that any Australian credit licence application forms or any attachments were opened or downloaded,” ASIC said.

Cyber threats have ranked highly on ASIC’s watch list for several years now, with companies urged to tighten security in the face of increasingly sophisticated and motivated actors looking to take advantage of vulnerabilities in the digitalised financial system.

“Industry research shows that over 60 per cent of customers would stop using a company’s products or services if a cyber attack resulted in a known security breach. This would have a catastrophic impact on any business, even if the breach was temporary,” former ASIC chairman Greg Medcraft said in 2017.

“The very real threat – and consequences – of a cyber -attack means organisations must address the issue fully. In fact, their preparedness must be a long-term commitment that has to be embedded in their very culture.”