Completion of internal investigation into unauthorised access incident

Timestamp: 9.30am 3 July 2024

Iress has concluded its internal investigation into the unauthorised access of Iress’ user space on GitHub as first announced on 13 May 2024.

The investigation has found no evidence of unauthorised access to Iress’ production environment, software or client data other than a limited portion of Iress’ OneVue production environment. This environment primarily contained information of a technical nature such as metadata, blank questionnaires and test files. Within the test files, Iress also identified a limited amount of personal information relating to 20 individuals who were employees of OneVue and its clients, and had entered their personal information for testing purposes. Each of these individuals has been contacted directly about the incident and provided with appropriate guidance and support.

Iress has also engaged specialist cyber incident and forensic technology providers to assist in response to the incident.

As previously announced, Iress is aware of statements made by the alleged threat actor regarding publishing source code taken from Iress’ GitHub user space. Iress confirms that it does not rely on the secrecy of its code as a security measure and has continued to take steps to reinforce security controls to protect its software and systems.

Iress has maintained regular service to clients throughout this incident and thanks its clients for their patience and support as we have worked to resolve this matter. 

In the ASX statement released on 2 July Iress mentions that its internal investigation is now complete - when will a report be made available?

Iress has engaged specialist cyber incident and forensic technology providers to assist in response to the incident. One output of this support is a client report which will be available shortly.

Is there a timeframe for when this report is expected to be completed?

We expect the report to be available by around the end of July. 

What was the nature of the personal information uncovered in the OneVue breach? Was it client data?

The personal information impacted by the incident was identified in test files which included a limited amount of personal information entered by employees for testing purposes. This related to 20 individuals, each of whom have been contacted directly about the incident and provided with appropriate guidance and support.

Our investigations have identified no evidence of unauthorised access to any other client data as a result of the incident.   

Is Iress concerned about the fact that its source code may be leaked by the threat actor?

No. Iress does not rely on the secrecy of its code as a security measure and has continued to take steps to reinforce its security controls to protect its software and systems.

What does Iress mean when it says it doesn’t rely on the secrecy of its code as a security measure?

Iress has a rigorous and multi-layered approach to protecting its software.

As part of our software lifecycle process, the source code contained in GitHub is in its ‘raw’ form. After being submitted to GitHub, it goes through a series of checks, changes and amendments as well as passing through a number of systems before ultimately becoming part of our live software.

In addition to this, Iress has a dedicated infosecurity team which employs a wide array of industry-leading protections to further reinforce the security of our software and systems. This includes robust internal and external penetration testing, bug bounty programs and retrospective code reviews.

Were there any secrets contained in GitHub? Have these been rotated?

It is not our standard practice to store credentials within GitHub. However, following the incident, our review determined that there were a number of credentials contained within GitHub. These have all now been rotated and updated.

Can Iress share any indicators of compromise (IOCs)?

Iress has shared these with the Australian Cyber Security Centre.

...

Further update on Iress unauthorised access incident

Timestamp: 5.10pm 21 May 2024

Iress is aware of further updates on social media relating to the unauthorised access incident from the alleged threat actor. 

Iress has been monitoring and investigating the statements made. To date, the statements made do not change the information provided in the previous disclosures we have made to the ASX and to clients.

At this time we have found no evidence that Iress’ production environment, software or client data has been compromised, outside of Iress’ OneVue production environment where we are continuing to investigate the extent and nature of the data accessed.

Our investigations are continuing to progress as a matter of priority, conducted by a global, cross-functional team with executive oversight. We have also engaged specialist third-party cyber expertise as part of our response. Iress has also continued to take steps to update credentials and access protocols to strengthen our security posture.

At this stage, for the majority of clients no action is required. Those clients who have been required to take action have been informed.

More information will be provided to the ASX and to clients as required.

...

Timestamp: 11.30am 17 May 2024

Unauthorised access incident - client fact sheet
What has occurred?

• On Saturday 11 May 2024 Iress detected and contained an unauthorised accessing of our user space on GitHub.
• Iress uses GitHub to manage software code before it goes live in production on a separate platform. 
• As soon as we became aware of the issue, we restricted access to GitHub while commencing a rapid investigation. 
• In the course of the investigation, it was discovered that a credential within Iress’ GitHub user space was stolen and used to gain access to Iress’ OneVue production environment. This production environment is isolated to the (Australian) OneVue businesses. 
• The OneVue production environment contains client data and we are investigating the extent and nature of the data accessed.
• Iress has become aware of certain statements made today by the alleged threat actor. The statements made today do not align with the investigations made by Iress to date. 
• Investigations have further progressed and at this time we have found no evidence to substantiate the claims made.
• Investigations are ongoing. At this time, there is no evidence that Iress’ production environment, software or client data has been compromised beyond what Iress has announced to the ASX.

What is Iress doing to respond?

• Iress has disclosed this incident to the market and relevant authorities. It has also been keeping clients informed through various communications channels and live updates on the Iress Community.
• Iress has now commenced a process of strengthening access and security protocols across all software out of an abundance of caution.

What do clients need to do?

• Iress is actively assessing any actions that need to be taken by our clients. If action is required, your relationship manager will let you know.

Questions & Answers