The Australian Securities and Investments Commission (ASIC) have become the most recent organization to announce they’ve suffered a data breach due to an unpatched SQL injection vulnerability within file transfer software from Accellion, a software company based in California. The ASIC uses the Accellion software to move files back and forth and it says credit license applications that had been recently filled out were accessed by unauthorized parties. ASIC stated, “While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor. At this time, ASIC has not seen evidence that any Australian credit license application forms or any attachments were opened or downloaded.” ASIC has not yet responded to requests for comments from reporters.
ASIC is the not the first victim of someone taking advantage of this flaw, and likely will not be the last. Accellion stated that they were made aware of the vulnerability in mid December, and they issued a patch for the software within 72 hours, but not all of their customers installed the patch. Until organizations implement the patch, they too can become victims of the same vulnerability. It is also suggested that internet access to systems hosting the FTA software should be blocked. Anyone who may have been affected by the flaw should keep a close eye on their accounts and monitor them for any suspicious activity. Administrators should audit FTA user accounts for changes and consider resetting all users’ passwords if unauthorized access is suspected. It is also important for users to avoid reusing the same password across multiple accounts, because criminals often steal passwords from one data breach and try to use them to gain access elsewhere—a technique known as credential stuffing.