ASIC updates on potential privacy issue with “search retrieval” service
Along with shutting down the service, ASIC has also published an alert on its website seeking anyone who might think they might be affected by the privacy issue to contact the regulator.
Regulators are not immune to cyber problems, with the latest piece of proof in this respect coming from the Australian Securities & Investments Commission (ASIC).
In his opening statement before the Parliamentary Joint Committee on Corporations and Financial Services, Peter Kell, ASIC’s Acting Chair today provided an update on a potential privacy issue.
He said that on November 9, 2017, ASIC disabled a ‘search retrieval’ service on its website, after being alerted to an issue with the service. The issue with the service is that a person, through using another person’s email address, could view on their screen that person’s recent paid search attempts. Mr Kell stressed that no one’s personal details, such as credit card information, could have been revealed, nor has there been a breach in disclosure of ASIC’s internal data.
He added that the company or other search documents themselves contain only publicly available information.
The “search retrieval” service became available in May 2017 to allow the online retrieval of a company search for 90 days after the purchase via the ASIC Connect service, using a receipt number or email. Previously, such requests had been handled via phone.
There were 6,760 retrieval searches between May 13, 2017, and when the service was disabled on November 9, 2017.
Along with shutting down the service, ASIC has also published an alert on website seeking anyone who might think they might be affected to contact ASIC. Also, the regulator has individually emailed around 770 users to notify them of the issue and invite them to contact ASIC.
In addition, as the regulator recognizes the importance of complying with its privacy obligations, it has consulted the Office of Australian Information Commissioner.
Mr Kell said ASIC is investigating the matter, including how the issue arose and how it can ensure it does not happen again.
ASIC’s main search function for people looking up companies and other registers is unaffected. People can still search ASIC’s databases via the website or an information broker.
ASIC is not the single financial sector regulator to report such issues. In September this year, Jay Clayton, Chairman of the US Securities and Exchange Commission (SEC), confirmed that in certain cases cyber threat actors had managed to access or misuse the regulator’s systems. In August 2017, SEC learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of the EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. The Commission said it believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.