Iress has concluded its internal investigation into the unauthorised access of Iress’ user space on GitHub as first announced on 13 May 2024.
The software provider said the investigation has found no evidence of unauthorised access to Iress’ production environment, software or client data other than a limited portion of Iress’ OneVue production environment which was disclosed on 15 May.
The OneVue production environment primarily contained information of a technical nature such as metadata, blank questionnaires and test files, Iress said.
Within the test files, Iress also identified a limited amount of personal information relating to 20 individuals who were employees of OneVue and its clients, and had entered their personal information for testing purposes. Each of these individuals has been contacted directly about the incident and provided with appropriate guidance and support.
Iress has also engaged specialist cyber incident and forensic technology providers to assist in response to the incident.
As previously announced, Iress is aware of statements made by the alleged threat actor regarding publishing source code taken from Iress’ GitHub user space. Iress confirms that it does not rely on the secrecy of its code as a security measure and has continued to take steps to reinforce security controls to protect its software and systems.
Iress has maintained regular service to clients throughout this incident.