Source: MIL-OSI Submissions
Source: Reserve Bank of New Zealand
31 May 2021 – The Reserve Bank of New Zealand – Te Pūtea Matua – has released the findings of independent reports on an illegal data breach and its handling of sensitive information.
“The Bank accepts the findings and has, and will continue to, implement the recommendations,” Reserve Bank Governor Adrian Orr says.
“As signalled in our Statements of Intent, we are well advanced on multiyear investment initiatives related to our digital systems and data management. We have prioritised these initiatives consistent with the recommendations outlined in the reports,” Mr Orr says.
On December 25 2020, the Reserve Bank was the victim of a cyber-attack on the third-party file sharing application it used to share and store information. KPMG was subsequently engaged to complete an independent review of the Bank’s immediate response to the breach, and identify areas for improvements in the Bank’s systems and processes.
“While we were the victim of a widespread illegal attack on the file sharing system, the Reserve Bank takes full responsibility for our shortfalls identified in the KPMG report,” Mr Orr says.
“We were over reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning.
KPMG outline that there are controls and practices within the Bank that needed to be, and are being, improved. If these practices were in place at the time of the illegal beach the impact would have been less,” says Mr Orr.
“I am disappointed about the incident and the impact it has had on people, including our own team. I am confident, however, that we have responded with urgency, precision, and care.
From the outset of the breach we have operated transparently and benefitted from the support of very capable domestic and international public sector cyber experts, and other private sector experts. I again extend my thanks to these people.”
“I also again extend my apologies to all individuals and institutions that were affected by this illegal breach. I especially thank the Office of the Privacy Commissioner who have worked closely with us throughout the incident.”
Background
In January 2021, the Reserve Bank reported a data breach of a third-party file sharing software application – Accellion FTA – that was used to share and store information.
As part of the investigation into the breach the Bank engaged KPMG to undertake an independent review of its systems and processes.
The Bank estimates that the final cost of the breach response, including internal resources, will be around $3.5 million. All costs associated with the breach were covered under the Bank’s baseline budgets.
In late 2020, the Bank engaged Deloitte to undertake an independent investigation to help improve our handling of sensitive information. This followed two incidents where sensitive information was incorrectly stored in a draft internal report, and information accidentally was disclosed to a small group of financial services firms a short time before it was made public. Initiatives are also underway to address the recommendations in that report.
More information
