Noted it was over reliant on Accellion.
The Reserve Bank of New Zealand – Te Pūtea Matua – has released the findings of independent reports on an illegal data breach and its handling of sensitive information.
The Bank accepts the findings and has, and will continue to, implement the recommendations, Reserve Bank Governor Adrian Orr said.
“As signaled in our Statements of Intent, we are well advanced on multiyear investment initiatives related to our digital systems and data management. We have prioritised these initiatives consistent with the recommendations outlined in the reports,” Orr noted.
On December 25 2020, the Reserve Bank was the victim of a cyber-attack on the third-party file sharing application it used to share and store information. KPMG was subsequently engaged to complete an independent review of the Bank’s immediate response to the breach, and identify areas for improvements in the Bank’s systems and processes.
“While we were the victim of a widespread illegal attack on the file sharing system, the Reserve Bank takes full responsibility for our shortfalls identified in the KPMG report,” Orr said.
“We were over reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning.
According to the Reserve Bank KPMG outlined there are controls and practices within the institution that needed to be, and are being, improved. If these practices were in place at the time of the illegal breach the impact would have been less.
“I am disappointed about the incident and the impact it has had on people, including our own team. I am confident, however, that we have responded with urgency, precision, and care,” he said.
“From the outset of the breach we have operated transparently and benefitted from the support of very capable domestic and international public sector cyber experts, and other private sector experts. I again extend my thanks to these people.”
In January 2021, the Reserve Bank reported a data breach of a third-party file sharing software application – Accellion FTA – that was used to share and store information.
As part of the investigation into the breach the Bank engaged KPMG to undertake an independent review of its systems and processes.
The Bank estimates that the final cost of the breach response, including internal resources, will be around NZ$3.5 million. All costs associated with the breach were covered under the Bank’s baseline budgets.
In late 2020, the Bank engaged Deloitte to undertake an independent investigation to help improve our handling of sensitive information.
This followed two incidents where sensitive information was incorrectly stored in a draft internal report, and information accidentally was disclosed to a small group of financial services firms a short time before it was made public. Initiatives are also underway to address the recommendations in that report.