Tech company Iress addresses user space's security breach

Firm assures no compromise to client data

Tech company Iress addresses user space's security breach


By Roxanne Libatique

Tech company Iress is examining an incident involving unauthorised access to its GitHub user space, which was initially reported on May 13.

The company has assured that this incident has not disrupted client operations or led to any data compromise within Iress’ software systems.

Iress detected unauthorised access to GitHub

This security breach was first identified on May 11, with Iress reporting the issue to the Australian Cyber Security Centre by the morning of May 13.

The breach is confined to Iress’ user space on GitHub, a platform for managing software development, which does not store any client information.

Iress investigates GitHub breach

In response, Iress has launched an extensive security audit across its systems. To date, this review has not identified any malware or other security threats in its internal systems or software.

The company also confirmed that its GitHub space was protected by multi-factor authentication. The unauthorised access is believed to be linked to the misuse of a specific GitHub-only security credential, which does not affect other Iress systems or protocols.

See LinkedIn post here.

“While investigations are ongoing, at this stage, it appears the nature of the unauthorised access relates to the use of a security credential which only applies to GitHub. There is no evidence this GitHub credential can be used to access any other Iress system via our MFA protocol,” it said.

Advice to Iress clients following breach

For most clients, Iress advises that no immediate action is necessary. Nevertheless, the company will notify certain clients who might need to update their security settings as a preventive step, with further instructions provided by their relationship managers.

In the aftermath of the breach, the company has increased its security protocols and restricted the integration of code from GitHub into its production environments while the investigation continues.

The company has established a webpage dedicated to providing updates on the situation. Clients with concerns are encouraged to contact their Iress Relationship Manager for more detailed information.

“Our investigation is continuing, but we have so far not detected any evidence our clients’ data or software environments have been compromised. As soon as we detected the unauthorised access within Iress’ GitHub user space, we suspended the ability for any code to be committed into Iress’ production environment from GitHub,” it said.

Australia and New Zealand have been facing a rising number of cyber threats since last year. In the first three months of 2024, Australia already reported 1.8 million compromised user accounts.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!