Accellion cyber incident

On 15 January 2021, the Australian Securities and Investments Commission (ASIC) became aware of a cyber security incident affecting a server used by ASIC.

The incident

On 28 December 2020, an unidentified threat actor accessed an ASIC server containing attachments to Australian credit licence applications submitted to ASIC between 1 July 2020 and 28 December 2020.

The cyber incident occurred due to a vulnerability in a file transfer appliance (FTA) provided by California-based Accellion and used by ASIC to receive attachments to Australian credit licence applications.

ASIC has determined that the credit licence application forms held within the server were not accessed. Analysis by ASIC’s independent forensic investigators shows no evidence that attachments were opened or downloaded.

However, the filenames of attachments for credit licence applications that were submitted to ASIC between 1 July 2020 and 28 December 2020 may have been viewed by the threat actor. For example, the credit licence applicant’s name or the name of an individual responsible manager, if these were used in the filename of the attachment (e.g. police check, CV) may have been viewed by the threat actor.

Our response

In response to the incident, ASIC has:

  • disabled the relevant server;
  • ascertained that no other ASIC information technology (IT) infrastructure is impacted;
  • taken steps to amend the credit licence application instructions to provide alternative arrangements for submitting their attachments (see below);
  • written to all identified credit licence applicants (via the contact email address nominated by the applicant) to inform them of the incident;?
  • advised applicants impacted to be careful about approaches from parties purporting to have their confidential information and what to do if they are approach;?
  • commenced an assessment of the unauthorised access in accordance with our obligations under the Privacy Act 1988;
  • informed relevant authorities; and
  • engaged independent cybersecurity experts to complete a forensic investigation.

If you have been impacted

ASIC has written to directly impacted parties. If you require additional information, please email

Frequently asked questions

For more information, download frequently asked questions.

Last updated: 25/01/2021 12:00