The regulator waited 10 days before informing affected financial institutions of the attack
The Australian Securities and Exchange Commission has been victimised by a cyber attack – but waited 10 days before informing financial institutions that its systems had been hacked.
ASIC admitted late on Monday that it was the latest victim of cyber criminals who have been targeting corporate users of software that allows people to transfer documents and attachments, according to a report by The Sydney Morning Herald. But although potentially affected companies were only informed of the breach on Monday, ASIC identified the cyber attack on Jan. 15. While the regulator disabled its online application platform last week during its investigation, it did not explicitly say at the time that the decision was due to a cyber attack.
ASIC wasn’t the only entity targeted in the attack, the Herald reported. The Reserve Bank of New Zealand and law firm Allens were also victimised in the attack on Accellion software users. Allens clients include Westpac, which the law firm represented in the AUSTRAC money-laundering case and advised during the 2018 banking royal commission.
Read more: ASIC drops charges against Westpac
About 130 entities seeking a credit licence were impacted in the ASIC breach, the Herald reported. That number included new applicants and existing financial institutions that were seeking to modify their licence. Hackers accessed an ASIC server containing documents for recent credit licence applications and their attachments. Those attachments usually include detailed financial information and other confidential documents, the Herald reported.
“While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor,” ASIC said in a statement. “At this time ASIC has not seen evidence that any Australian credit licence application forms or any attachments were opened or downloaded.”