Data breach probe at Qld research institute
Respected Queensland research facility QIMR Berghofer Medical Research Institute said early investigations indicated that about 620 megabytes of data held in the file-sharing system Accellion had been accessed on Christmas Day.
It has launched an internal investigation into the "likely" hacking.
The institute uses the software to receive and share data from clinical trials of antimalarial drugs conducted with healthy volunteers.
"No names, contact details or other personally identifiable details of study participants are in the files held in Accellion," the institute said in a statement.
"Instead, codes are used to refer to study participants."
The statement said CVs belonging to about 30 current and former research staff held in Accellion could also have potentially been accessed and the institute was offering advice and assistance to those employees.
QIMR Berghofer's director and CEO Fabienne Mackay apologised for the suspected data breach.
"We are very concerned that some data appears to have been accessed and I want to say a sincere sorry to our stakeholders, particularly our clinical trial partners and members of the public who took part in our antimalarial drug trials," Professor Mackay said.
"These trial participants do a wonderful community service by helping to speed up the development of new drugs for a disease that kills about 400,000 people every year.
"We don't believe that any of the information in Accellion could be used to identify any of these participants, but nonetheless, I want to apologise sincerely that some of their de-identified information could potentially have been accessed.
"Many of these files have to be kept for 15 years. However, they did not need to be stored in Accellion. We are examining our protocols for using third-party file-sharing services and will put procedures in place to try to ensure that files are regularly reviewed and saved in the most secure location."
Professor Mackay said data security was a top priority for QIMR Berghofer.
"We will keep working with Accellion to understand how this suspected breach occurred, which files were accessed and why QIMR Berghofer was not notified sooner," she said. "In the meantime, we have decommissioned the Accellion system from use at QIMR Berghofer."
The institute said there was no indication hackers had gained access to QIMR Berghofer's internal network or any of its other servers.
"For security reasons, the Accellion system sits outside the institute's core network," the QIMR Berghofer statement said.
Accellion advised QIMR Berghofer to apply a security patch on January 4.
On February 2, the institute was informed of the suspected data breach by "an unknown party".
QIMR Berghofer has notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
Anyone with concerns should email the institute at firstname.lastname@example.org or phone 1800 993 000.
Originally published as Data breach probe at Qld research institute