Wednesday, 17 August 2022
Meet the JournalistsPremiumAucklandWellingtonCanterbury/South Island
CrimePoliticsHealthEducationEnvironment and ClimateNZ Herald FocusData journalismKāhu, Māori ContentPropertyWeather
Small BusinessOpinionPersonal FinanceEconomyBusiness TravelCapital Markets
Politics
Premium SportRugbyCommonwealth GamesCricketRacingNetballBoxingLeagueFootballSuper RugbyAthleticsBasketballMotorsportTennisCyclingGolfAmerican SportsHockeyUFC
NZH Local FocusThe Northern AdvocateThe Northland AgeThe AucklanderWaikato HeraldBay of Plenty TimesHawke's Bay TodayRotorua Daily PostWhanganui ChronicleStratford PressManawatu GuardianKapiti NewsHorowhenua ChronicleTe Awamutu Courier
Covid-19
Te Rito
Te Rito
OneRoof PropertyCommercial Property
Open JusticeVideoPodcastsTechnologyWorldOpinion
SpyTVMoviesBooksMusicCultureSideswipeCompetitions
Fashion & BeautyFood & DrinkRoyalsRelationshipsWellbeingPets & AnimalsVivaCanvasEat WellCompetitionsRestaurants & Menus
New Zealand TravelAustralia TravelInternational Travel
Our Green FutureRuralOneRoof Property
Career AdviceCorporate News
Driven MotoringPhotos
SudokuCodecrackerCrosswordsWordsearchDaily quizzes
Classifieds
KaitaiaWhangareiDargavilleAucklandThamesTaurangaHamiltonWhakataneRotoruaTokoroaTe KuitiTaumarunuiTaupoGisborneNew PlymouthNapierHastingsDannevirkeWhanganuiPalmerston NorthLevinParaparaumuMastertonWellingtonMotuekaNelsonBlenheimWestportReeftonKaikouraGreymouthHokitikaChristchurchAshburtonTimaruWanakaOamaruQueenstownDunedinGoreInvercargill
NZ HeraldThe Northern AdvocateThe Northland AgeThe AucklanderWaikato HeraldBay Of Plenty TimesRotorua Daily PostHawke's Bay TodayWhanganui ChronicleThe Stratford PressManawatu GuardianKapiti NewsHorowhenua ChronicleTe Awamutu CourierVivaEat WellOneRoofDriven MotoringThe CountryPhoto SalesNZ Herald InsightsWatchMeGrabOneiHeart RadioRestaurant Hub

Advertisement

Advertise with NZME.
Business

Data breach: RBNZ insider warned about underinvestment in security

12 Jan, 2021 02:00 AM7 minutes to read
The RBNZ was warned about the risk of underinvestment. Photo / Getty Images

The RBNZ was warned about the risk of underinvestment. Photo / Getty Images

Chris Keall
By
Chris Keall

Chris Keall is the technology editor and a senior business writer for the NZ Herald

VIEW PROFILE

The Reserve Bank has revealed that it was an overseas provider whose systems were breached, potentially exposing sensitive RBNZ files. That's drawn the ire of a local IT industry group that says the incident highlights a wider failing in government strategy that has weakened our defences.

The data breach also followed a May 2020 consultation document by the bank's chief information officer, Scott Fisher, that highlighted the need for more investment in IT, and a sweeping restructure of its IT structure and personnel.

Fisher's report said there was "high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms".

Read More

  • NZX admits 'standards' failure, likely to pass-on security upgrade costs
  • Year of the hacker: why now and why NZ is seen as a soft touch
  • Cert NZ tracks big rise in cyber attacks during pandemic
  • Cyber attacks: Should victims pay a ransom - and is it legal?

It added: "Our people lack the modern digital tools, data and systems required to effectively collaborate and to support informed decision-making."

The Herald has asked the RBNZ how many of Fisher's recommended changes were implemented. A second RBNZ initiative, involving enhanced cyber-security for its partners, is still subject to a consultation process that closes on January 29.

On Sunday, the RBNZ said it was responding with urgency after a third-party service, now named as US-based Accellion, was illegally accessed.

The RBNZ uses Accellion to share data with banks and insurance companies.

Reserve Bank of NZ Governor Adrian Orr says the attack did not directly target his institution. Photo / Mark Mitchell
Reserve Bank of NZ Governor Adrian Orr says the attack did not directly target his institution. Photo / Mark Mitchell

Overnight, Reserve Bank governor Adrian Orr said the Accellion file-transfer system had been taken offline while investigations were under way.

Advertisement

Advertise with NZME.

"This wasn't a specific attack on the Reserve Bank, and other users of the file-sharing application were also compromised.

"Our core functions and New Zealand's financial system remain sound, and Te Pūtea Matua is open for business. This includes our markets operations and management of the cash and payments systems."

Related articles

Business

Cyber defences: How Australia's $1.4b boost compares with NZ

30 Jun 05:00 PM
Business

US, NZ attempts to fend-off massive cyberattack at risk - because of weird Trump fixation

19 Dec 08:00 PM
Business

Ben Kepes: The old cybersecurity lesson from the Reserve Bank breach

11 Jan 05:00 AM
Business

$700m data centre for Southland: Proposal could hinge on an age-old question

15 Dec 04:42 AM

Work is continuing to confirm the nature and extent of information that has been potentially accessed. The compromised data may include some commercially and personally sensitive information, Orr said.

CHRISTMAS DAZE?

Meanwhile, the National Cyber Security Centre, a unit of the GCSB, has confirmed it is assisting the Reserve Bank following the hack.

A cyber-security insider told the Herald that Accellion first notified all of its customers, including the RBNZ, of the file-sharing breach on December 24 and issued a patch, but that the RBNZ did not implement the patch or take its files offline until January 7.

Neither the RBNZ nor Accellion (which did not immediately respond to questions) has given a timeline for the data breach.

The insider said around 30 Accellion customers had been hit by the breach, which involved an SQL-injection attack, where malicious code is planted that allows a hacker to view, modify or delete files on a database.

Advertisement

Advertise with NZME.

The Accellion product involved, FTA (File Transfer Appliance) is some 20 years old. The company has been urging clients to upgrade to a newer service Kiteworks, a spokesman said.

NZRISE: WIDER QUESTIONS RAISED

Meanwhile, NZRise cofounder Don Christie says the incident raises broader questions about not just the Reserve Bank's IT policy, but the Government's wider technology strategy.

While acknowledging that the central bank takes security very seriously, Christie questions its approach to file-sharing.

"It seems likely that RBNZ is using a third-party platform and it seems likely that this would be a very high-value target for hackers, similar to SolarWind which was hacked last year and used widely by government agencies across the world," he says.

"In my view, the NZ Government needs to urgently review its IT strategy," adds Christie, who is also a director of one of the largest local IT services and cloud providers, Catalyst.

"Right now, individual agencies are being mandated to move as fast as possible to overseas infrastructure and overseas SaaS [software-as-a-service] suppliers. That's very short-term thinking and requires a high degree of effectively unproven trust. Time and time again the model has been proven to fail as state-sponsored warfare becomes more prevalent."

NZRise cofounder Don Christie says Crown agencies are offshoring rather than building national resilience and capability. Photo / File
NZRise cofounder Don Christie says Crown agencies are offshoring rather than building national resilience and capability. Photo / File

An over-reliance on this one-size-fits-all strategy leaves NZ without the agility to respond to threats and compromises at a local level, Christie says.

"It also leaves us vulnerable to the whims of overseas actors. Who knows who would have control over many of these platforms had the coup attempt of January 6 in Washington DC been successful?"

An NZRise study released in November found that only about a third of government IT tenders, by dollar value, were awarded to New Zealand-owned companies for the previous year.

The lobby group argues that more business should be awarded locally, in part for skills development and to increase our tax base, and in part because of issues such as data sovereignty, and the fact that multinationals often prove difficult to regulate.

Read More

  • Google NZ's missing millions: Massey academic re-totals tech giant's local tax bill
  • Facebook doesn't front with NZ financials, academic calls for change

"We are simply not building a national view on resilience and capability and we are not co-ordinating investment and procurement across government agencies. If we put more focus on the latter the investment case for building much more shared infrastructure and capability in New Zealand would become far more positive," Christie says (a theme he addresses in the video below from the 11-minute mark).

"This is not to say that New Zealand tech is more secure than anyone else's but we can verify and audit respond much more easily onshore than we can offshore. Indeed, many NZ companies experience far more oversight than our overseas competitors simply because we are so close," Christie says.

"Keep in mind that the Europeans are about to spend billions of Euros building their own cloud and other infrastructure. It's likely this investment will produce more open source systems, such as Open Stack and Kubernetes that NZ can leverage. Indeed, if we played our cards right we could think about joining that initiative with a view of giving NZ more technical independence.

"This rethink will require good political leadership and a radical shake-up of Government IT leadership."

CYBERATTACKS SURGE, NZ SPENDING STUTTERS

The past 12-months have seen an escalation in cyberattacks, according to Crown agency Cert (Computer Emergency Response Team) NZ, with attacks increasing by 33 per cent year-on-year.

August and September saw the GCSB come to NZX's aid as the local stock exchange struggled to repel a series of DDoS (distributed denial of service) attacks that overwhelmed its website.

Earlier in 2020, there were cyberattacks on multiple corporate targets including Fisher & Paykel Appliances, Toll Group and Lion.

In F&P Appliances' case, a "ransomware" gang leaked a number of its spreadsheet and planning files on to the internet in a bid to pressure the company to pay for the return of its stolen files. F&P refused.

AUT computer science professor Dave Parry told the Herald that a Covid was a double-whammy had contributed to the dramatic rise in cyberattacks.

The pandemic has spurred a working-from-home boom, often involving much lower security, at the same time that lockdowns around the globe had reduced many of organised crimes' usual "real-life" avenues - leading to a spike in cybercrime.

Businesses were being targeted to exploit the gaps in security that were opening up as staff shuffled files between work and home - and simply because commercial organisations are richer targets.

Across the Tasman, Scott Morrison's government increased cyber-defence spending by A$1.35 billion last year, while NZ's increase of its already smaller per-capita budget was in the single-digit millions, with the issue gaining no traction at the election.

Advertisement

Advertise with NZME.

Latest from Business

Premium
BusinessUpdated

'Turning point': Property resale gains not the usual 'cash windfall'

16 Aug 09:00 PM
Business

Tourism NZ teaser adverts for those who don't eat two-minute noodles

16 Aug 09:00 PM
Video

Tourism NZ launches first global campaign in two years

Premium
BusinessUpdated

The Great Resignation: How quitting a job changed my work-life balance

16 Aug 08:58 PM
BusinessUpdated

Fletcher declares strong result, profit up 42%

16 Aug 08:31 PM

Most Popular

NZ's low literacy rate is bad news for the economy
EducationUpdated

NZ's low literacy rate is bad news for the economy

16 Aug 08:12 PM
Chlöe Swarbrick: We can choose to rewrite the rules again
New Zealand|Politics

Chlöe Swarbrick: We can choose to rewrite the rules again

16 Aug 05:00 PM
Premium
Matt Heath: Life is short and the universe doesn't care, so make the most of it
Lifestyle

Matt Heath: Life is short and the universe doesn't care, so make the most of it

16 Aug 05:00 PM

Advertisement

Advertise with NZME.
About NZMEHelp & SupportContact UsSubscribe to NZ HeraldHouse Rules
Manage Your Print SubscriptionNZ Herald E-EditionAdvertise with NZMEBook Your AdPrivacy Policy
Terms of UseCompetition Terms & ConditionsSubscriptions Terms & Conditions
© Copyright 2022 NZME Publishing Limited
TOP