Brought to you by:

Cover-More unscathed as ASIC, RBNZ investigate cyber breach

Travel insurer Cover-More says it was not directly impacted by a cyber attack on software provided by Accellion.

Almost 50 Accellion customers were hit by a recent security incident, including corporate regulator the Australian Securities and Investments Commission (ASIC), the Reserve Bank of New Zealand (RBNZ) and law firm Allens, which has provided legal advice to QBE, Westpac and Allianz.

Zurich-owned Cover-More is listed on Accellion’s website as a customer in a detailed case study. Allens began using the software in 2011.

“There is no direct impact on the Cover-More business,” a spokesman told insuranceNEWS.com.au.

California-based Accellion said in a statement that in mid-December it was made aware of a vulnerability in its File Transfer Appliance (FTA) software, a 20 year old product that specialises in large file transfers which it described as a “legacy” product.

“Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected,” the statement says. “While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to kiteworks, the modern enterprise content firewall platform, for the highest level of security and confidence.”

ASIC revealed it became aware of the cyber security incident relating to Accellion software used to transfer files and attachments affecting a server it uses on January 15. Unauthorised access to the server, which contained documents associated with recent Australian credit licence applications, was detected.

ASIC disabled access to the affected server and said no other ASIC technology infrastructure was impacted or breached.

“There is some risk that some limited information may have been viewed by the threat actor. At this time ASIC has not seen evidence that any Australian credit licence application forms or any attachments were opened or downloaded,” the regulator said.

RBNZ Governor Adrian Orr apologised to those impacted by what he said was a “significant data breach”.

“While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement, the Bank has also fallen short of the standards expected by our stakeholders,” Mr Orr said.

“Personally, I own this issue and I am disappointed and sorry.”

Accellion says its products have been installed at more than 3000 of the world’s leading corporations and government agencies.