Cyber Incident Victim: TechnologyOne

On or around May 1, 2023, Australian enterprise resource planning solutions provider TechnologyOne Limited detected that an unauthorised third party had acted illegally to access its internal Microsoft 365 back-office system. The company, which is listed on the Australian Securities Exchange (ASX), initiated an urgent investigation into this cyber incident. This investigation included the initiation of its cyber response strategy, the appointment of third-party cybersecurity experts, and the isolation of the affected systems to prevent further unauthorized access. The company reported the incident to relevant authorities and complied with its regulatory obligations. TechnologyOne specifically noted that its customer-facing Software-as-a-Service (SaaS) platform was not connected to the compromised Microsoft 365 system and therefore was not impacted by the breach, ensuring customer data on that platform remained secure.

On May 10, 2023, TechnologyOne requested an immediate trading halt from the ASX for all of its securities. The company formally requested the halt to remain in place until the earlier of a further announcement or the commencement of normal trading on Friday, May 12, 2023. This action was taken to manage the release of information to the market as the investigation into the cyber incident continued. The company’s financial filing and public statements on this date reiterated that the intrusion was limited to the internal Microsoft 365 environment and that the core SaaS product was isolated and unaffected. The focus of the ongoing investigation was to determine what specific data may have been accessed via the breached back-office system.

By May 12, 2023, TechnologyOne resumed trading on the ASX. In an update provided at that time, the company announced that the targeted internal Microsoft 365 systems had been fully restored and were operational again. The firm had received confirmation from the third-party cybersecurity experts it had engaged that the Microsoft 365 system was now secure. The company's public statements emphasized that its back-office system maintained administrative information, which was separate from customer information and data housed on its SaaS platform. The primary focus remained on advancing the investigation to determine the nature and scope of any data that was potentially accessed.

The consequence of the incident was the potential compromise of administrative information held within TechnologyOne's internal Microsoft 365 system. The company stated that once the investigation progressed further, it would be in a position to contact any individuals who may have been affected to work with them on the safety of their data. The company apologized to these potentially impacted individuals for any concern the incident may have caused. The incident caused a temporary disruption to the company's normal stock market operations, with trading halted for two days to allow for the management of the situation and the release of information.

The company's response actions were detailed and followed a clear containment and recovery process. The immediate action was to isolate the affected Microsoft 365 systems to contain the breach and prevent any potential lateral movement. External cybersecurity experts were appointed to conduct a forensic investigation and to assist with securing the environment. Authorities, including relevant government and regulatory bodies, were notified of the breach in accordance with legal requirements. The restoration of the isolated systems was completed, and their security was verified by independent third-party experts before they were returned to full operational status. TechnologyOne committed to providing further updates to the market via the ASX and on its corporate website as more information became available from the investigation.