Full Report
The Australian Security and Investments Commission has been impacted by Accellion's data breach
Analysis Summary
# Incident Report: Accellion Data Breach Impacting ASIC
## Executive Summary
The Australian Securities and Investments Commission (ASIC) experienced a data breach resulting from a compromise targeting their third-party file-sharing solution provider, Accellion. The incident involved unauthorized access to an Accellion server containing documents related to recent Australian credit licence applications. ASIC has taken containment action by isolating the affected server and is investigating the extent of the data compromise.
## Incident Details
- **Discovery Date:** Not explicitly stated, but ASIC issued a public statement "10 days after the incident." (Implied early January 2021, given the article date of January 22, 2021).
- **Incident Date:** Prior to January 12, 2021.
- **Affected Organization:** Australian Securities and Investments Commission (ASIC).
- **Sector:** Government/Financial Regulatory.
- **Geography:** Australia.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (pre-January 12, 2021).
- **Vector:** Compromise of the Accellion third-party file-sharing solution utilized by ASIC.
- **Details:** Threat actors gained unauthorized access to an Accellion server hosting ASIC documents.
### Lateral Movement
- Details are not specified in the provided text, but the access was granted via the compromised third-party vendor environment.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Documents associated with recent Australian credit licence applications were exposed. ASIC admitted there is "some risk that some limited information may have been viewed by the threat actor."
### Detection & Response
- **How it was discovered:** ASIC became aware of the unauthorized access and disclosed the breach publicly (approx. 10 days after the incident occurred).
- **Response actions taken:** ASIC immediately isolated the impacted server to prevent further compromise. Their IT team and cybersecurity advisers engaged forensic investigation efforts and are working on establishing a safe alternative submission method for credit licence applications.
## Attack Methodology
Based on the context of the Accellion breaches affecting other entities around the same time, the methodology is inferred as primarily **Supply Chain Attack**, leveraging a vulnerability within the Accellion File Transfer Appliance (FTA).
- **Initial Access:** Exploitation of a vulnerability in the Accellion FTA server.
- **Persistence:** Not detailed, but implied through access maintained on the compromised server.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Unknown, likely internal reconnaissance on the accessible server.
- **Lateral Movement:** Attack was likely contained to the vendor environment initially, impacting ASIC data stored there.
- **Collection:** Gathering specific documents related to credit licence applications.
- **Exfiltration:** Transferring collected documents off the Accellion server.
- **Impact:** Confidentiality breach of sensitive regulatory application data.
## Impact Assessment
- **Financial:** Not estimated in the text.
- **Data Breach:** Confidential documents associated with recent Australian credit licence applications. The scope is described as "some limited information."
- **Operational:** Disruption to the credit licence application submission process until a safe alternative is established.
- **Reputational:** Negative publicity for ASIC due to the security incident at the regulator.
## Indicators of Compromise
*No specific IoCs (IPs, domains, hashes) were provided in the source text.*
## Response Actions
- **Containment measures:** Complete isolation of the impacted Accellion server.
- **Eradication steps:** Forensic investigation undertaken by ASIC's IT team and external cybersecurity advisers to determine the extent of compromise.
- **Recovery actions:** Working to bring systems back online safely and establishing an alternative submission method for credit licence applications.
## Lessons Learned
- **Key takeaways:** Third-party vendor risk (supply chain risk) remains a significant and actively exploited attack vector, capable of impacting downstream organizations simultaneously (context mentions Reserve Bank of New Zealand and Westpac also being affected).
- **What could have been done better:** Enhanced oversight or direct security posture requirements for critical third-party systems like file transfer appliances.
## Recommendations
- **Prevention measures for similar incidents:** Implement rigorous third-party risk management (TPRM) focused specifically on software providers handling sensitive data. Ensure business continuity plans include immediate alternatives for critical data submission channels in the event of vendor disruption.