14-05-2024 04:59 PM - edited 09-07-2024 02:35 PM
Update on unauthorised access incident
Timestamp: 2.30pm 9 July 2024
Iress is aware of messages posted on social media by an actor alleged to be associated with the unauthorised access to GitHub incident.
Iress has been monitoring and investigating the statements made. To date, the statements made do not change the information provided in the previous disclosures we have made to the ASX and to clients.
Iress has rotated all credentials out of an abundance of caution, in addition to resetting all login details for employee access to Iress systems. As previously announced, Iress has also continued to take steps to reinforce security controls to protect its software and systems.
...
Completion of internal investigation into unauthorised access incident
Timestamp: 9.30am 3 July 2024
Iress has concluded its internal investigation into the unauthorised access of Iress’ user space on GitHub as first announced on 13 May 2024.
The investigation has found no evidence of unauthorised access to Iress’ production environment, software or client data other than a limited portion of Iress’ OneVue production environment. This environment primarily contained information of a technical nature such as metadata, blank questionnaires and test files. Within the test files, Iress also identified a limited amount of personal information relating to 20 individuals who were employees of OneVue and its clients, and had entered their personal information for testing purposes. Each of these individuals has been contacted directly about the incident and provided with appropriate guidance and support.
Iress has also engaged specialist cyber incident and forensic technology providers to assist in response to the incident.
As previously announced, Iress is aware of statements made by the alleged threat actor regarding publishing source code taken from Iress’ GitHub user space. Iress confirms that it does not rely on the secrecy of its code as a security measure and has continued to take steps to reinforce security controls to protect its software and systems.
Iress has maintained regular service to clients throughout this incident and thanks its clients for their patience and support as we have worked to resolve this matter.
In the ASX statement released on 2 July Iress mentions that its internal investigation is now complete - when will a report be made available?
Iress has engaged specialist cyber incident and forensic technology providers to assist in response to the incident. One output of this support is a client report which will be available shortly.
Is there a timeframe for when this report is expected to be completed?
We expect the report to be available by around the end of July.
What was the nature of the personal information uncovered in the OneVue breach? Was it client data?
The personal information impacted by the incident was identified in test files which included a limited amount of personal information entered by employees for testing purposes. This related to 20 individuals, each of whom have been contacted directly about the incident and provided with appropriate guidance and support.
Our investigations have identified no evidence of unauthorised access to any other client data as a result of the incident.
Is Iress concerned about the fact that its source code may be leaked by the threat actor?
No. Iress does not rely on the secrecy of its code as a security measure and has continued to take steps to reinforce its security controls to protect its software and systems.
What does Iress mean when it says it doesn’t rely on the secrecy of its code as a security measure?
Iress has a rigorous and multi-layered approach to protecting its software.
As part of our software lifecycle process, the source code contained in GitHub is in its ‘raw’ form. After being submitted to GitHub, it goes through a series of checks, changes and amendments as well as passing through a number of systems before ultimately becoming part of our live software.
In addition to this, Iress has a dedicated infosecurity team which employs a wide array of industry-leading protections to further reinforce the security of our software and systems. This includes robust internal and external penetration testing, bug bounty programs and retrospective code reviews.
Were there any secrets contained in GitHub? Have these been rotated?
It is not our standard practice to store credentials within GitHub. However, following the incident, our review determined that there were a number of credentials contained within GitHub. These have all now been rotated and updated.
Can Iress share any indicators of compromise (IOCs)?
Iress has shared these with the Australian Cyber Security Centre.
...
Further update on Iress unauthorised access incident
Timestamp: 5.10pm 21 May 2024
Iress is aware of further updates on social media relating to the unauthorised access incident from the alleged threat actor.
Iress has been monitoring and investigating the statements made. To date, the statements made do not change the information provided in the previous disclosures we have made to the ASX and to clients.
At this time we have found no evidence that Iress’ production environment, software or client data has been compromised, outside of Iress’ OneVue production environment where we are continuing to investigate the extent and nature of the data accessed.
Our investigations are continuing to progress as a matter of priority, conducted by a global, cross-functional team with executive oversight. We have also engaged specialist third-party cyber expertise as part of our response. Iress has also continued to take steps to update credentials and access protocols to strengthen our security posture.
At this stage, for the majority of clients no action is required. Those clients who have been required to take action have been informed.
More information will be provided to the ASX and to clients as required.
...
Timestamp: 11.30am 17 May 2024
Unauthorised access incident - client fact sheet
What has occurred?
What is Iress doing to respond?
What do clients need to do?
Questions & Answers
Have you reported the incident to authorities? How long did it take you to report it? | The issue was discovered early on Saturday 11 May (AEST) and was reported to the Australian Cyber Security Centre on Monday morning 13 May 2024. |
Which government agencies / regulatory bodies have been informed? | Iress has engaged with the Australian Cyber Security Centre and relevant authorities about this incident. Iress is actively monitoring our regulatory obligations and will continue working with the relevant authorities and regulators. |
Who is leading the response to this incident? | A cross-functional internal team with executive oversight is leading the response, supported by third-party expertise as required. |
Have you engaged specialist third parties to assist with this incident? | Yes, we have engaged third parties including specialist cyber incident and technology experts to support Iress with this incident. We will engage third parties where appropriate to support our ongoing activities in connection with this incident. |
Has this incident resulted in any disruption to current services for Iress’ clients? | No, there has been no disruption to current services for Iress’ clients. |
Has any client data or personal identifying information been accessed as a result of this issue? | Investigations are ongoing. We have provided details about this incident in our ASX announcements. We are not able to provide additional details at this time. |
Is there a chance my software environment has been compromised? | As stated in our ASX announcements, apart from Iress’ OneVue production environment, at this time we have found no evidence that the remainder of Iress’ production environment, software or client data has otherwise been compromised. |
Are any other systems compromised? | Investigations are ongoing. We have provided details about this incident in our ASX announcements. We are not able to provide additional details at this time. |
What remediation steps have you taken? | We have provided details about this incident in our ASX announcements. We are not able to provide additional details at this time. |
What do clients need to do? | For the majority of clients, no action is required. In some instances, it will be recommended that clients update their security credentials. If this impacts you, your relationship manager will let you know. |
Iress is a technology company providing software to the financial services industry.
Our software is used by more than 9,000 businesses and 500,000 users globally.