The Reserve Bank of New Zealand has released the findings of an independent report on an illegal data breach and the central bank’s handling of sensitive information.
The central bank said an investigation into a cyberattack on one of its computer systems late last year has identified failings that RBNZ has begun to rectify.
On December 25, 2020, the RBNZ was the victim of a cyber-attack on the third-party file-sharing application it used to share and store data.
KPMG was subsequently engaged to complete an independent review of the RBNZ’s immediate response to the breach, and identify areas for improvements in the central bank’s systems and processes.
The review into the data breach subsequently found the central bank had been using the hacked file-sharing software for more than its intended functions.
“Usage of the system by the bank was not limited to secure file transfers as intended,” the consultant said.
“Working practices evolved to the point where the system was also used as an information repository and collaboration tool, which was not in adherence with the bank’s guidelines on acceptable use of the system.
“Adherence would have significantly reduced the volume of information at risk.”
The KPMG report argued that “potentially malicious activity” on the system generated alerts but that central bank staff either failed to identify or follow up on.
No advance warning
Adrian Orr, the governor of the Reserve Bank of New Zealand, conceded that the RBNZ was over-reliant on US software provider, Accellion, to alert staff to any vulnerabilities in their system. But he took issue with the report’s comments on the alerts saying “in this instance, their notifications to us did not leave their system and hence did not reach the RBNZ in advance of the breach. We received no advance warning”
However, Orr also acknowledged that while the RBNZ was a victim of a widespread illegal attack on the file-sharing system, it takes full responsibility for the shortfalls identified by KPMG.
“I am disappointed about the incident and the impact it has had on people, including our team. I am confident, however, that we have responded with urgency, precision, and care,” he said in a statement.
“From the outset of the breach, we have operated transparently and benefitted from the support of very capable domestic and international public sector cyber experts, and other private sector experts. I again extend my thanks to these people.”
“I also again extend my apologies to all individuals and institutions that were affected by this illegal breach. I especially thank the Office of the Privacy Commissioner who has worked closely with us throughout the incident.”