Tuesday, 05 December 2023
KaitaiaWhangareiDargavilleAucklandThamesTaurangaHamiltonWhakataneRotoruaTokoroaTe KuitiTaumarunuiTaupoGisborneNew PlymouthNapierHastingsDannevirkeWhanganuiPalmerston NorthLevinParaparaumuMastertonWellingtonMotuekaNelsonBlenheimWestportReeftonKaikouraGreymouthHokitikaChristchurchAshburtonTimaruWanakaOamaruQueenstownDunedinGoreInvercargill
NZ HeraldThe Northern AdvocateThe Northland AgeThe AucklanderWaikato HeraldBay Of Plenty TimesRotorua Daily PostHawke's Bay TodayWhanganui ChronicleThe Stratford PressManawatu GuardianKapiti NewsHorowhenua ChronicleTe Awamutu CourierVivaEat WellOneRoofDRIVEN Car GuideThe CountryPhoto SalesiHeart RadioRestaurant Hub
Voyager 2023 media awards
Subscribe

Advertisement

Advertise with NZME.
Home / Business

RBNZ says partner Accellion kept it in the dark about data breach

Chris Keall
By
Chris Keall
9 Feb, 2021 04:25 AM3 mins to read
Saveshare

Share this article

facebookcopy linktwitterlinkedinredditemail
"We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the Bank for five days," Reserve Bank Governor Adrian Orr says. Photo / Mark Mitchell

"We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the Bank for five days," Reserve Bank Governor Adrian Orr says. Photo / Mark Mitchell

The Reserve Bank was kept in the dark for a crucial five days about a December data breach, Governor Adrian Orr says - contradicting its technology partner's version of events.

The incident - which saw sensitive data stolen - involved a file-sharing service run by US company Accellion.

"We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the Bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach."

"If we were notified at the appropriate time, we could have patched the system and avoided the breach. Our own analysis has identified shortcomings in our processes once the system was breached. The impact this had is part of the review underway."

Advertisement

Advertise with NZME.

Orr's claim runs contrary to a January 12 statement by Accellion, which said, "Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected."

Accellion's overall timeline of three days is shorter than Orr's claim of five. The US-based Accellion did not immediately respond to a question about whether it immediately informed customers when it discovered the vulnerability, or if it waited until the patch was ready.

There are also broader timeline questions that will have to be resolved by an investigation currently underway by KPMG.

They include why the RBNZ had not acted faster on a May 2020 report by the bank's chief information officer, Scott Fisher, warned there was "high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms".

Advertisement

Advertise with NZME.

Also why the RBNZ was still using a 20-year-old Accellion file-sharing service called FTA, when for the US company had been encouraging customers to upgrade to a more secure alternative, Kiteworks, for four years. Kiteworks was referenced in Fisher's report.

It has also been alleged by a cyber-security insider that the RBNZ learned of the vulnerability on December 24, but did not take action until January 7. The bank has not released any timeline of events at this point.

Orr also said today that "The Reserve Bank is making solid progress in responding to a recent malicious data breach, and ensuring affected stakeholders are well supported.

The RBNZ has completed its assessment of the files illegally downloaded during the breach and is notifying organisations involved, Orr said.

External legal advisers are also providing assurance checks and advice on any personal information which was included in the downloaded files.

"For security reasons, we can't provide specific details about the number of files downloaded, or information they contain. We have been in regular communication with all organisations who have had files illegally downloaded," Orr said.

"As a priority, we have engaged with the organisations whose files contained sensitive information, to support them and assist in managing the impact on their customers and staff.

"We are working directly with these organisations to determine how many people had sensitive personal information compromised and we will ensure they are well supported."

"The Bank has engaged a specialist national identity and cyber support service IDCARE, to provide advice and support to people affected by the breach at no cost to them. We continue to work closely with the Office of the Privacy Commissioner.

Orr said the forensic and criminal investigations into the breach are ongoing, as well as the independent KPMG review of the Bank's systems and processes.

Advertisement

Advertise with NZME.
Saveshare

Share this article

facebookcopy linktwitterlinkedinredditemail

Advertisement

Advertise with NZME.

Latest from Business

Premium
Business

Market close: NZ stocks continue to drift while Aussies keep cash rate on hold

05 Dec 05:15 AM
Premium
Business

Big payday for Hirepool shareholders

05 Dec 03:13 AM
Premium
Business

Cost of living hits customers as Woolworths NZ's profits slashed

05 Dec 03:05 AM
Premium
Business

Three retirement village issues NZ Shareholders Association is considering

05 Dec 03:02 AM

Navigating the ‘decade of uncertainty’

sponsored

Advertisement

Advertise with NZME.

Latest from Business

Premium
Market close: NZ stocks continue to drift while Aussies keep cash rate on hold

Market close: NZ stocks continue to drift while Aussies keep cash rate on hold

05 Dec 05:15 AM

The S&P/NZX 50 Index ended the day lower.

Premium
Big payday for Hirepool shareholders

Big payday for Hirepool shareholders

05 Dec 03:13 AM
Premium
Cost of living hits customers as Woolworths NZ's profits slashed

Cost of living hits customers as Woolworths NZ's profits slashed

05 Dec 03:05 AM
Premium
Three retirement village issues NZ Shareholders Association is considering

Three retirement village issues NZ Shareholders Association is considering

05 Dec 03:02 AM
How to make a win-win-win from waste
sponsored

How to make a win-win-win from waste

About NZMEHelp & SupportContact UsSubscribe to NZ HeraldHouse Rules
Manage Your Print SubscriptionNZ Herald E-EditionAdvertise with NZMEBook Your AdPrivacy Policy
Terms of UseCompetition Terms & ConditionsSubscriptions Terms & Conditions
© Copyright 2023 NZME Publishing Limited
TOP