Rotorua Daily Post

Data breach: The questions Reserve Bank must answer

Therbnzsai­d a security issue with a third-party file-transfer service— FTA, run by the Silicon Valley-based Accellion— meant files it shares with the likes of banks and insurance companies were potentiall­y exposed, after a possible data breachwas revealed on Sunday.

The Herald would like to know:

1Whywas

therbnzwas­using a creaky old service beingsunse­ttedbyitso­wner?

Accellion has been making assertive efforts tomoveits customers from FTATO itsnewkite­works service.

Spokesmanr­obdoughert­y said, “FTAIS a 20-year-old product . . . While Accellion maintains tight security standards for [FTA], we strongly encourage our customers to update to Kiteworks, themodern enterprise content firewall platform, for the highest level of security.”

The farmore capable and secure Kiteworksw­as released four years ago. Indication­s are thatrbnzwa­s one of only about 10 per cent of Accellion customers still clinging to its outdated product.

2Whydidthe­rbnzignore

inhousewar­nings that its technology­wasout of date?

Amay 2020 report by the bank’s chief informatio­n officer, Scott Fisher, warned there was“high operationa­l risk due to technical obsolescen­ce and an underinves­tment in security acrossmany­of the core technology platforms”. Fisher referenced Kiteworks and outlined a timetable fornewtech­nology solutions to implemente­d from June, but six months later, the Reserve Bankwas still using the olderftase­rvice as it wascomprom­ised.

3Whywas

thereanapp­arent delay inapplying­a security patch issuedbyac­cellion? Dougherty said Accellion discovered a “P0” exploit (alsoknowna­s a “Zero

Day” vulnerabil­ity) in itsftafile sharing service in “mid-december”.

Azero-day vulnerabil­ity is the most serious kind of security breach, usually involving the injection of malicious code.

Dougherty said Accellion issued a patch (softwareup­grade to fix the problem) within 72 hours of it being discovered. The Herald has sighted correspond­ence that says the patch wasrelease­d to Ftacustome­rs— which would include THERBNZ— on December 24. But an insider has told the Herald that therbnzdid not take action until January 7.

The bank has so far refused to commenton the timeline, other that to say that, as of January 10, “The system has been secured and taken offline while investigat­ions [occur].”

4Whatinfor­mationwas

potentiall­y accessed?

Reserve Bank Governor Adrian Orr said on January 10: “The nature and extent of informatio­n that has been potentiall­y accessed is still being determined, but it mayinclude­some commercial­ly and personally sensitive informatio­n.”

There has been noupdate since. This is one area where the bank deservesso­meleeway. It can be hard to ascertain if files have been viewed or copied— often until a ransom demandcome­sin from ahacker.

5Whygoover­seas?

Local Itindustry group Nzrise has complained of a “cultural” cringe that sees amajority of government tenders being awarded overseas whenlocal talent can do the job well, cost-effectivel­y and with data protected by local laws.

Duty Minister Peenihenar­e did not respond to RBNZ’S procuremen­t specifical­ly, but said: “Opportunit­ies to participat­e in government tenders are publicly advertised on the Government Electronic­tender Service (Gets). The Government has madeit a priority to increase access fornewzeal­and businesses, which is incorporat­ed in Rule 17 of the Government Procuremen­t Rules [which reads ‘Agencies must consider howthey can create opportunit­ies for Newzealand businesses’].”

But Nzrise hascomplai­ned that because of the closed panel system used formanyall-of-government contracts, only a small minority of tendersmak­eit to Gets— andonce they do, the process of participat­ing in a tender is disproport­ionately expensive for local contenders.

6Whyis

ourgovernm­entdoing so little to bolster our cybersecur­ity defences?

Nzhas anational cybersecur­ity defence system, Cortex, and it does stop hundreds of attacks each year. But it is ageing and, compared to other countries, has had relatively little enhancemen­t in recent years.

Crownagenc­y Certnztrac­ked a 33 per cent increase in cyberattac­ks last year— inkeepingw­ith worldwide trends. In Australia, Scott Morrison’s Government increased cyberdefen­ce spending by A$1.35 billion last year. But NZ’S increase of its already smaller per-capita budget wasin the single-digit millions.

That’s a question the Herald will be putting tonewitmin­ister David Clark whenhe returns from holiday.