Australian Financial Regulator Hit by Data BreachYet Another Incident Tied to Unpatched Flaw in Accellion's File Transfer Appliance
More breach victims are emerging as the result of exploits of an unpatched vulnerability in an aging file transfer system from Palo Alto, California-based Accellion.
The latest announcement comes from the Australian Securities and Investments Commission, which says it became aware on Jan. 15 of a breach involving Accellion’s software, which the agency uses to transfer files and attachments.
Recent credit license applications were accessed without authorization, ASIC says.
“While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor,” ASIC says. “At this time, ASIC has not seen evidence that any Australian credit license application forms or any attachments were opened or downloaded.”
ASIC officials couldn’t be immediately reached for comment. The Sydney Morning Herald reports that ASIC informed financial institutions about the breach on Monday, 10 days after it knew it had been compromised.
Meanwhile, the Australian Financial Review reports that the law firm Allens was also the victim of a breach tied to the unpatched Accellion vulnerability.
First Disclosure: NZ Reserve Bank
The Reserve Bank of New Zealand was the first to come forward as a victim of an exploit of the Accellion vulnerability. On Jan. 10, the bank said its file-sharing system had been compromised, exposing commercial and consumer information (see: Reserve Bank of New Zealand Investigates Data Breach).
Reserve Bank Gov. Adrian Orr gave an unusually direct apology, saying that the bank’s actions "have fallen short of the public's expectations.” He said the bank continues to investigate the impact of the data exposure (see: NZ Reserve Bank Governor Says He 'Owns' Breach).
Accellion said it was made aware in mid-December of a vulnerability in its File Transfer Appliance, a 20-year-old product that’s used for large file transfers, and a patch was released within 72 hours. The company said fewer than 50 of its customers were affected.
For at least two years, the company has been encouraging customers to shift to its Kiteworks content-sharing platform, although it hasn’t retired the File Transfer Appliance.
SQL Injection Flaw
Accellion described the vulnerability in its File Transfer Appliance as a “P0” flaw. The Australian Cyber Security Center, a government agency, was more specific, describing it as a SQL injection flaw, one of the most common types of vulnerabilities.
The ACSC says that if the flaw is exploited, it “may provide an attacker with access to content stored on and accessible by the FTA instance.”
Organizations should implement the patch for the vulnerability as soon as possible, the ACSC stresses. Alternatively, they should temporarily isolate or block internet access to and from systems that host the FTA software.
Also, administrators should audit FTA user accounts for changes and consider resetting all users' passwords. “Given that FTA is regarded as a legacy product by Accellion, organizations using FTA should migrate to currently supported products,” the ACSC says.