On 15 January 2021, the Australian Securities and Investments Commission (ASIC) became aware of a cyber security incident related to a server used by ASIC.
On 28 December 2020, an unidentified threat actor accessed an ASIC server containing attachments to Australian credit licence applications submitted to ASIC between 1 July 2020 and 28 December 2020.
The cyber incident occurred due to a vulnerability in a file transfer appliance (FTA) provided by California-based Accellion and previously used by ASIC to receive attachments to Australian credit licence applications.
ASIC engaged independent cyber experts to undertake a forensic investigation. Their analysis has confirmed there is no evidence that the attachments to credit licence applications have been read or downloaded. This has not changed.
We were of the view in January 2021 that the filenames of these attachments may have been viewed.
However, following additional analysis performed by ASIC’s independent cyber experts, it is highly unlikely that the threat actors accessed any data held on the ASIC server, including filenames of the attachments related to Australian credit licence applications submitted to ASIC between 1 July 2020 and 28 December 2020.
In response to the incident, ASIC has:
- disabled the relevant server;
- ascertained that no other ASIC information technology (IT) infrastructure is impacted;
- provided alternative arrangements for submitting attachments (see below);
- written to all identified credit licence applicants (via the contact email address nominated by the applicant) to advise and update them about the incident;
- assessed the incident in accordance with our obligations under the Privacy Act 1988;
- informed relevant authorities; and
- engaged independent cybersecurity experts to complete a forensic investigation.
Who to contact
ASIC has written directly to impacted parties. If you require additional information, please email email@example.com
Frequently asked questions
For more information, download frequently asked questions.