About 130 entities seeking a credit licence were impacted by the ASIC breach, including new applicants and existing financial institutions looking to modify their licence.
In the ASIC breach, hackers accessed the server that contains documents for recent Australian credit licence applications and their attachments. Those attachments would usually include detailed financial and other confidential documents from applicants.
“At this time ASIC has not seen evidence that any Australian credit licence application forms or any attachments were opened or downloaded.”
Sources who were not authorised to comment on the record said the ASIC hackers most likely could only see the name of the applicants that had made applications during the hack period and the title of the attachments but not the content. There are fears the hackers could present screenshots of the information they’ve stolen and demand ransom payments from groups caught in the ASIC sting.
It’s another headache for the corporate watchdog which is still without a permanent chairman following James Shipton’s decision to stand aside during Treasury’s investigation into his tax advice payment.
Australian Signals Directorate’s Australian Cyber Security Centre said last week it had been working with security partners to assist Australian corporations affected by the Accellion vulnerability since January 12. It urged affected corporations to conduct an audit of its file transfer appliance accounts and to upgrade from the vulnerable legacy product to one of Accellion’s currently supported products.
Accellion said in a statement earlier this month it had fixed the issue it first detected in December 2019 and estimated about 50 of its clients were affected
Robert Ishak, a cyber security expert and principal at William Roberts Lawyers, said the Accellion attack was another example of how Australia was lagging other countries in assessing and preventing cyber attacks.
“Corporate Australia has a lot more to do to protect itself. It’s like we’ve been sleeping in the house and leaving our doors unlocked,” he said.
“In my view it would be a breach of their directors’ duties if directors are not considering cyber risk on a regular basis. It’s not a one-off tick-a-box approach.”
Sarah Danckert is a business reporter who specialises in investigations and corporate wrongdoing. She is a two-time Walkley Award winner, and has won four Quill Awards and two Kennedy Awards.