Personal details of 20 people breached in Iress hack

Iress has completed an investigation into a breach of its OneVue platform, finding it was isolated to a "limited" part that contained test files, metadata and information about 20 employees or clients.

The financial software maker and platform operator in May disclosed a breach of its GitHub user space, where a credential was stolen and exploited to access the OneVue production environment.

OneVue is a wholesale wealth management platform, whose clients would investment managers, trustees and financial institutions. It was recently divested by Iress.

A forensic investigation of the breach found that "a limited portion of Iress’ OneVue production environment" was accessed by the threat actor.

"This environment primarily contained information of a technical nature such as metadata, blank questionnaires and test files," Iress said in an ASX disclosure.

"Within the test files, Iress also identified a limited amount of personal information relating to 20 individuals who were employees of OneVue and its clients, and had entered their personal information for testing purposes.

"Each of these individuals has been contacted directly about the incident and provided with appropriate guidance and support."

Iress said it had found “no evidence" of broader "unauthorised access to Iress’ production environment, software or client data”.

Iress first detected and contained an unauthorised access to its user space on GitHub on May 11.

The space is used to manage Iress’ pre-production software code before it is made live in production on a separate platform.

“Iress has maintained regular service to clients throughout this incident and thanks its clients for their patience and support as we have worked to resolve this matter,” the company added.