Data breach: The questions Reserve Bank must answer
Therbnzsaid a security issue with a third-party file-transfer service— FTA, run by the Silicon Valley-based Accellion— meant files it shares with the likes of banks and insurance companies were potentially exposed, after a possible data breachwas revealed on Sunday.
The Herald would like to know:
1Whywas
therbnzwasusing a creaky old service beingsunsettedbyitsowner?
Accellion has been making assertive efforts tomoveits customers from FTATO itsnewkiteworks service.
Spokesmanrobdougherty said, “FTAIS a 20-year-old product . . . While Accellion maintains tight security standards for [FTA], we strongly encourage our customers to update to Kiteworks, themodern enterprise content firewall platform, for the highest level of security.”
The farmore capable and secure Kiteworkswas released four years ago. Indications are thatrbnzwas one of only about 10 per cent of Accellion customers still clinging to its outdated product.
2Whydidtherbnzignore
inhousewarnings that its technologywasout of date?
Amay 2020 report by the bank’s chief information officer, Scott Fisher, warned there was“high operational risk due to technical obsolescence and an underinvestment in security acrossmanyof the core technology platforms”. Fisher referenced Kiteworks and outlined a timetable fornewtechnology solutions to implemented from June, but six months later, the Reserve Bankwas still using the olderftaservice as it wascompromised.
3Whywas
thereanapparent delay inapplyinga security patch issuedbyaccellion? Dougherty said Accellion discovered a “P0” exploit (alsoknownas a “Zero
Day” vulnerability) in itsftafile sharing service in “mid-december”.
Azero-day vulnerability is the most serious kind of security breach, usually involving the injection of malicious code.
Dougherty said Accellion issued a patch (softwareupgrade to fix the problem) within 72 hours of it being discovered. The Herald has sighted correspondence that says the patch wasreleased to Ftacustomers— which would include THERBNZ— on December 24. But an insider has told the Herald that therbnzdid not take action until January 7.
The bank has so far refused to commenton the timeline, other that to say that, as of January 10, “The system has been secured and taken offline while investigations [occur].”
4Whatinformationwas
potentially accessed?
Reserve Bank Governor Adrian Orr said on January 10: “The nature and extent of information that has been potentially accessed is still being determined, but it mayincludesome commercially and personally sensitive information.”
There has been noupdate since. This is one area where the bank deservessomeleeway. It can be hard to ascertain if files have been viewed or copied— often until a ransom demandcomesin from ahacker.
5Whygooverseas?
Local Itindustry group Nzrise has complained of a “cultural” cringe that sees amajority of government tenders being awarded overseas whenlocal talent can do the job well, cost-effectively and with data protected by local laws.
Duty Minister Peenihenare did not respond to RBNZ’S procurement specifically, but said: “Opportunities to participate in government tenders are publicly advertised on the Government Electronictender Service (Gets). The Government has madeit a priority to increase access fornewzealand businesses, which is incorporated in Rule 17 of the Government Procurement Rules [which reads ‘Agencies must consider howthey can create opportunities for Newzealand businesses’].”
But Nzrise hascomplained that because of the closed panel system used formanyall-of-government contracts, only a small minority of tendersmakeit to Gets— andonce they do, the process of participating in a tender is disproportionately expensive for local contenders.
6Whyis
ourgovernmentdoing so little to bolster our cybersecurity defences?
Nzhas anational cybersecurity defence system, Cortex, and it does stop hundreds of attacks each year. But it is ageing and, compared to other countries, has had relatively little enhancement in recent years.
Crownagency Certnztracked a 33 per cent increase in cyberattacks last year— inkeepingwith worldwide trends. In Australia, Scott Morrison’s Government increased cyberdefence spending by A$1.35 billion last year. But NZ’S increase of its already smaller per-capita budget wasin the single-digit millions.
That’s a question the Herald will be putting tonewitminister David Clark whenhe returns from holiday.