Iress says no client data compromised in GitHub breach

In an ASX announcement on Monday morning, technology firm Iress said it “detected and contained” an unauthorised accessing of its user space on GitHub on Saturday.

GitHub is a third-party code repository platform that manages software code before it goes live in production on a separate platform.

The firm stressed that “Iress does not store client information on GitHub”.

“Iress restricted access to GitHub immediately upon discovery and commenced a rapid investigation,” it said.

“There is no evidence that client data has been compromised as a result of this issue. There is also no evidence that Iress’ production or client software has been compromised.”

Iress added that it has commenced a process of “strengthening access and security protocols out of an abundance of caution”.

“We do not anticipate any disruption to our business or our clients’ ability to use our software and systems,” it added.

“Iress is making this announcement in the interests of transparency and keeping all stakeholders informed.

“The company takes information security extremely seriously and has notified relevant authorities.”

Speaking at the Adviser Innovation Summit last year, Fraser Jack, founder of The Cyber Collective, said the consequences of a cyber attack are more impactful than most advisers realise, including the amount of clients that could be lost.

“The reportable breach regime that ASIC have introduced, when you have to report a breach, that notification is going to be published for all to see,” Jack said.

“Core Data did some stats really recently around what clients would do in the event of a data breach on their financial advice practice. This was specific to financial advice practices, though I’ve done other surveys that come up with similar results for accountants.

“But they basically said that 60 per cent of clients would leave their financial advice practice, which is not what advisers thought. Around 95 per cent of advisers thought they might lose up to 11 per cent of their practice in the event of a cyber or data breach.”