QIMR Berghofer Medical Research Institute is investigating a likely data breach through the third-party file-sharing system Accellion.
Early internal investigations indicate that about 4 per cent, or 620MB, of the QIMR Berghofer data in Accellion appears to have been accessed through the file-sharing system on 25 December 2020.
Nine QIMR Berghofer employees use the Accellion system.
The first notification QIMR Berghofer received from Accellion was on 4 January 2021, when the company advised the Institute to apply a security patch. The Institute immediately took the software offline and applied the patch.
Accellion notified QIMR Berghofer on Tuesday 2 February 2021 that it believed the Institute had been affected by the data breach, which has also affected a number of Accellion's other Australian and international clients.
The likely data breach, by an unknown party, appears to have been caused by a vulnerability in Accellion's system.
QIMR Berghofer immediately shut down the software and launched an internal investigation and forensic analysis. The Institute has sent a copy of its system to Accellion, which is conducting its own forensic analysis to confirm that a data breach has occurred, and, if so, which files were accessed.
The Institute's preliminary investigations indicate that no personally identifying information belonging to members of the public was held in the Accellion system.
