Cyber Incident Victim: Australian Securities and Investment Commission

On January 15, 2021, the Australian Securities and Investments Commission (ASIC) publicly disclosed a cybersecurity breach affecting a server utilized for file transfers. The compromised system handled sensitive documents, including credit licence applications and associated attachments. ASIC confirmed it became aware of the incident on the same date it was announced. While unauthorized access to the server occurred, preliminary investigations indicated that attackers may have viewed certain information stored on the system. Notably, the regulator stated there was no evidence that credit licence application forms or their attachments had been downloaded by the threat actors. The breach specifically targeted a file-sharing service employed by ASIC for document transmission, though the technical mechanism of the intrusion was not detailed in initial disclosures.

The incident drew attention due to potential parallels with a cybersecurity breach at a New Zealand bank the previous month, as reported by Reuters. Both incidents reportedly involved the same file-sharing software, though ASIC did not explicitly confirm this link. The breach raised concerns about unauthorized access to financial regulatory documents and applicant data processed through ASIC’s systems. No further technical specifics regarding attacker methodologies, data exfiltration scope, or containment measures were disclosed publicly at the time of the announcement. ASIC’s statement focused on the absence of confirmed data downloads while acknowledging the possibility of information exposure. The incident underscored vulnerabilities in third-party file-transfer solutions used by regulatory bodies to manage sensitive financial sector documentation.