APRA Pulls Data Submission System After Security Penetration Test

The Australian Prudential Regulation Authority (APRA) has shut down its data submission system known as Direct to APRA (D2A) after a routine security penetration test discovered vulnerabilities in the platform. The system was taken offline on March 20, just one day after the vulnerabilities were identified during testing on March 19.

APRA said the vulnerabilities were discovered during a regular security test, and although there is no evidence that the system was breached or exploited, the regulator decided to shut it down as a precaution due to its low tolerance for cybersecurity risks.

The D2A system has been used by banks, insurance companies, and superannuation firms to submit regulatory data to APRA. The platform was a Java-based Oracle application that required organizations to submit data using XML (Extensible Markup Language) or XBRL (Extensible Business Reporting Language) formats, along with manual data entry.

The system was already nearing the end of its lifecycle and was originally planned to be replaced by a new platform by 2027. However, following the security findings, APRA has decided to accelerate the transition to the new system called APRA Connect.

APRA Connect is a web-based data submission platform that will allow organizations to submit data using Microsoft Excel files, making the process easier and more modern. The new platform will also remove support for XBRL.

After shutting down the old system, APRA advised all organizations that were using D2A to immediately uninstall the D2A client software, warning that keeping the software installed could pose a residual security risk. The regulator also asked organizations to review their system security and conduct additional security checks as a precaution.

APRA emphasized that the shutdown was a preventive measure, not a response to a confirmed cyberattack. The regulator stated that it is not aware of any data breaches related to the system.

The decision aligns with APRA’s cybersecurity regulation CPS 234, which came into effect in July 2019. This regulation requires financial institutions and regulated entities to maintain strong cybersecurity controls, regularly test their systems, and ensure that security measures match the sensitivity of the data they manage.

The incident highlights the importance of regular security testing, system upgrades, and proactive cybersecurity measures, especially for government and financial regulatory systems that handle sensitive data.