General communication on incident – 05 December 2023
Subject: Notification of ownCloud cyber incident
The ownCloud application and details of the incident
Following the recent incident where a criminal third party unlawfully obtained access to an isolated ownCloud server hosted by SigniFlow (Pty) Ltd (South Africa), we are providing a further update on our investigation.
ownCloud is a self-hosted file synchronisation and sharing platform used for storing, sharing, and accessing files. The solution is similar to other cloud services such as Google Drive or Dropbox.
On 21 November 2023, ownCloud disclosed a zero-day vulnerability (CVE-2023-49103) of their platform. We understand that the vulnerability enables the unlawful and unauthorised intrusion of an ownCloud server.
Our use of the ownCloud application was limited to the storage of certain company information and the sharing of software update files between internal teams. The ownCloud service was also in use by two clients who opted to use it for uploading documents, limited to support functions, outside the normal support channels.
On 28 November 2023, we received suspicious alerts from the ownCloud service in respect of data access and deletion that was actioned without authorisation. We immediately investigated and took action to isolate and take the affected ownCloud service offline. An investigation was initiated to understand the scope of the incident. External legal and forensic specialists were appointed to assist with our investigation.
The investigation revealed that the zero-day vulnerability (CVE-2023-49103) was exploited on the ownCloud service which led to a criminal third party gaining access to this service.
Status of our investigation
We have determined that data was impacted with the majority of the files being non-sensitive and non-confidential information about our business.
We have experienced no disruption to our services and confirm that the vulnerability has been contained and resolved. This is because our reliance on the ownCloud service was limited to the specific circumstances as explained above.
We can confirm that there was data accessed and exfiltration of third-party data stored on the ownCloud service. Details of the incident were shared with the third parties on 29 November 2023 so that further investigations and notifications could take place. We are actively supporting those third parties affected and will continue to do so by providing clarity and information where required.
Impact on other services
The ownCloud application is in no way connected to our network or core systems and service offering. We have no reason to believe that our core systems have been impacted or that any access was gained into our environment(s) by unlawful third parties through this incident.
We take the confidentiality, privacy and security of data and personal information very seriously. We have taken additional measures to increase monitoring and security protocols where possible and urge all customers and consumers to remain vigilant in respect of this zero-day vulnerability.
Our investigations are still ongoing, and we thank you for your understanding and cooperation during this time.
If you have any questions or concerns, please feel free to contact our head of legal and compliance at [email protected].