QIMR Berghofer Medical Research Institute and Singtel are the latest large organisations to fall victim to the Accellion data breach.
QIMR Berghofer said in a statement that about 4 percent of data held on the file-sharing system - or 620MB in total - appeared to have been accessed by an unknown party on Christmas Day.
It used Accellion “to receive and share data from clinical trials of anti-malarial drugs” though it said no personally-identifiable information was in the documents on the system.
“These clinical trials are conducted with healthy volunteers,” QIMR Berghofer said.
“No names, contact details or other personally identifiable details of study participants are in the files held in Accellion.
“Instead, codes are used to refer to study participants.
“Some of the documents in Accellion include de-identified information such as the initials, date of birth, age, gender, and ethnic group of clinical trial participants, as well as the participant codes.
“Some other documents include participants’ de-identified medical histories, along with their codes.”
QIMR Berghofer’s director and CEO, Professor Fabienne Mackay, apologised and expressed concern that some data on Accellion “appears to have been accessed”.
“We don’t believe that any of the information in Accellion could be used to identify any of these participants, but nonetheless, I want to apologise sincerely that some of their de-identified information could potentially have been accessed,” Mackay said.
“We cannot contact these clinical trial participants because we don’t know who they are, and don’t have their names or contact details. However, if anyone has any concerns, or would like more information, they can contact us via the details below.
“We are contacting our clinical trial partners and other stakeholders to let them know what has happened and what we are doing to address this likely data breach.”
Mackay said that some files on Accellion had been there for 15 years.
“However, they did not need to be stored in Accellion,” Mackay said.
“We are examining our protocols for using third-party file-sharing services and will put procedures in place to try to ensure that files are regularly reviewed and saved in the most secure location.”
QIMR Berghofer said there were also some staff CVs on Accellion, as well as other “internal files”.
Accellion notified QIMR Berghofer on February 2 that it was likely to have been caught up in the breach.
QIMR Berghofer said it had scheduled to decommission the software next month.
Singtel, meanwhile, said it had suspended all use of the Accellion system and "activated investigations" after being informed it is also likely impacted.
"We are currently conducting an impact assessment with the utmost urgency to ascertain the nature and extent of data that has been potentially accessed," Singtel said.
"Customer information may have been compromised.
"Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks.
"We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed."
The Australian Securities and Investments Commission (ASIC), the Reserve Bank of NZ, and NSW government agencies are also caught up in the attack.