What happened in the Iress data breach?
In mid-May 2024, Australian financial technology firm Iress suffered a cyber breach that impacted their OneVue production environment containing client data. Hackers were able to steal credentials within the user space and gain unauthorized access to a limited portion of Iress’ OneVue production environment.
The breach only affected Iress’ OneVue managed funds administration, platform and superannuation division. The investigation found no evidence of unauthorized access to Iress’ core production environment, software, or wider client data.
What data was accessed?
The investigation revealed that a limited amount of personal information relating to 20 individuals was accessed without authorization. These individuals were employees of OneVue and its clients who had entered their personal information into test files for testing purposes. Each of the 20 individuals impacted have been directly contacted by Iress and provided guidance and support.
In early July 2024, Iress announced the completion of their internal investigation into the May cyber breach. The investigation was supported by specialist cyber incident and forensic technology providers. No further unauthorized access beyond the limited OneVue environment was found.
Iress confirmed in their statement to the ASX that “no evidence of unauthorised access to Iress’ production environment, software or client data other than a limited portion of Iress’ OneVue production environment” was found.
They also noted this environment “primarily contained information of a technical nature such as metadata, blank questionnaires and test files” and the personal data accessed was only “within the test files”.
Impact on OneVue Business
Earlier in 2024, Iress had sold their OneVue platform business to Praemium in a $1 million initial cash deal, with up to $20 million more based on milestones. Praemium stated the investigation “has not identified any adverse impact on the Iress OneVue Platform business acquired by Praemium.” Both firms cooperated during the investigation process.
Cybersecurity reporting requirements
ASX-listed businesses must promptly report any data breaches to the market, as failure to do so could contravene Corporations Act listing rules. This covers readiness, response, recovery and remediation in case of a cyber incident, demonstrating the importance placed on transparency around iress data breach.