Perpetual Limited has revised its guidance on a security incident at a third-party provider, now saying that “a limited amount of personal information has been compromised.”
The ASX-listed financial firm - and particularly its customers - have suffered the effects of the incident for much of June, in the form of an extended outage to customer-facing services, including its self-service portal.
But the incident escalated this week with the company conceding that while “sensitive client data remains secure and encrypted”, some “personal information” was accessed.
The company explained its findings on a subsite it has now set up specifically for the incident.
“We have become aware that some personal information was accessed from the third-party system,” Perpetual noted in FAQ responses.
“Our investigation has found two separate and unrelated files which may have been compromised: a file containing first names, surnames and addresses and a second separate file containing bank account details which are unlinked to names and addresses, meaning that it is difficult to match these bank account details with names and addresses that appear in the first file.”
Perpetual said it is informing affected customers.
The breached company provides a unit registry system to Perpetual; the financial firm explained this is used to perform “administration services to some of our funds such as annual statement generation, recording investor/member transactions and maintaining a registrar of the investor/member holdings in the funds.”
“The registry provider maintains investor/member data to provide these types of services,” Perpetual said.
Perpetual said it had taken some of its own core systems offline as a precaution “to prevent any spread” of the incident. It said these measures allowed the incident to be contained to the third party provider only.
The company also defended its supplier and supply chain governance arrangements.
“We regularly review third-party providers to ensure their processes and controls either meet or exceed industry standards,” it said.
“We annually audit the design and effectiveness of key IT controls at the provider relating to security, availability, confidentiality and privacy.
“As part of the restoration work currently underway, we have taken extra steps [to] check and verify that systems are protected and safe in a new environment.”