Iress confirms staff personal test data accessed in cyber breach

Popular planning software developer Iress has confirmed that a “limited portion” of staff data from its OneVue platform – soon to be migrated to rival wealthtech Praemium – production environment was accessed during a recent cyber incident, though client data appears to have been spared.

Concluding an internal investigation into a suspected ‘unauthorised access’ incident in May, Iress confirmed today in an announcement to the Australian Securities Exchange (ASX) that personal information relating to 20 employees of OneVue and its clients was exposed in the breach.

The wealthtech concluded, however, that investigators found “no evidence” of a further breach of its production environment, software or client data.

On 13 May, Iress disclosed to the ASX that it had detected unauthorised access to its user space on GitHub – a third-party code repository platform which manages software code before it goes live in production on a separate platform – two days earlier.

The firm stated at the time that it does not store client information on GitHub, adding that there is “no evidence that client data… [and] no evidence that Iress’ production or client software has been compromised”.

In an update to the exchange on 15 May, Iress confirmed that the OneVue production environment does, in fact, contain client data, adding that a stolen credential from the third-party user space was used to gain access to this production environment.

Two days later, Iress said it was contacted by the alleged threat actor claiming to be involved in the breach; however, based on its own investigations, the hacker’s claims were not credible.

The wealthtech’s recent investigations confirmed that the OneView production environment “primarily contained information of a technical nature, such as metadata, blank questionnaires and test files”.

“Within the test files, Iress also identified a limited amount of personal information relating to 20 individuals who were employees of OneVue and its clients, and had entered their personal information for testing purposes,” Iress wrote in its most recent filing to the ASX.

Iress added: “Each of these individuals has been contacted directly about the incident and provided with appropriate guidance and support.”

It appears, however, that client data was spared from exposure.

Iress said it was also “aware of statements made by the alleged threat actor regarding publishing source code taken from [its] GitHub user space”.

“Iress confirms that it does not rely on the secrecy of its code as a security measure and has continued to take steps to reinforce security controls to protect its software and systems.”

The wealthtech added that it has recruited a “specialist cyber incident and forensic technology provider” to assist with the incident response.

Praemium, which in April agreed to acquire 100% of the OneVue platform, backed the conclusions of the Iress investigation which it said found no “adverse impact on the Iress OneVue Platform business (IOPB)”.

Praemium said it was “grateful for Iress’s cooperation during the period from observing the incident to its conclusion today”.