Transport for NSW hit by Accellion breach

Australian state agency Transport for New South Wales (NSW) has become the latest organisation to be hit by the cyber attack on Accellion’s 20-year-old FTA file transfer system.

Transport for NSW said some information was taken from its Accellion system before the attack, which exploited a zero-day software flaw, was interrupted.

Accellion started notifying customers affected by the attack in December 2020 and has since patched all known FTA vulnerabilities exploited by the attackers.

Cyber Security NSW is managing the NSW government’s investigation into the incident with the help of forensic specialists.

Transport for NSW added that it was also working closely with Cyber Security NSW to understand the impact of the breach, including to customer data. It said it will ensure that any notification process for those affected will be clearly communicated and secure.

The agency stressed that the data breach was limited to Accellion servers, and that no other Transport for NSW systems had been affected, including systems related to driver licence information or Opal fare card data. 

Cyber Security NSW was first made aware of the Accellion vulnerabilities in January and with NSW Police, had established a strike force to investigate the impacts of the breach on the NSW Government.

The NSW Government has retired all instances of Accellion FTA as part of the centralised response to protect customer and government data.

In neighbouring New Zealand, the Reserve Bank of New Zealand was also affected by the same incident which had compromised information such as personal email addresses, dates of birth, or credit information.

The central bank said earlier in February 2021 that it was working directly with stakeholders to determine how many people are impacted and will ensure they are well supported.

In Singapore, telco Singtel revealed on 17 February 2021 that the data of 129,000 individuals and 23 enterprises were compromised by the Accellion attack, though a large part of the leaked data was Singtel’s internal information that is non-sensitive such as data logs, test data, reports and emails.

Supply chain vulnerabilities have come under the spotlight in the aftermath of the attack on SolarWinds’ network management software which many large enterprises and governments rely on.

According to Accenture’s State of cyber resilience 2020 report, indirect attacks against weak links in supply chains had accounted for 40% of security breaches as threat actors sought to circumvent the cyber defences of their targets.

Gaurav Chhiber, vice-president of IronNet Cybersecurity in Asia-Pacific and Japan, said against this backdrop, governments and enterprises are now looking to protect their ecosystems and future-proof their supply chain.

In January 2021, Singapore’s central bank revised its technology risk management guidelines to help the financial sector guard against supply chain attacks.

The guidelines, among others, will require financial institutions to assess and manage their exposure to technology risks that may affect the confidentiality, integrity and availability of the IT systems and data at third-party IT service providers.