Reserve Bank not alone in having data hacked
The Reserve Bank has released more details on a cyber attack that compromised the bank, saying a filesharing system provided by Californian company Accellion had been hacked.
Reserve Bank governor Adrian Orr said it had been advised by Accellion that the Reserve Bank had not been specifically targeted and that other users of the software, called FTA (File Transfer Application), were also compromised.
The bank has not provided more information on the implications of the hack, including whether it could have financial implications for the bank – beyond saying the compromised data might include some commercially and personally sensitive information.
Orr said the bank was continuing to ‘‘respond with urgency to the breach’’ which was used to share information with ‘‘external stakeholders’’.
He reiterated it would take time to determine the impact of the breach.
‘‘The analysis of the potentially affected information is being done with pace and care,’’ he said.
‘‘We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation.’’
That included the GCSB’s National Cyber Security Centre which had been notified and was providing guidance and advice, he said.
‘‘We recognise the public interest in this incident however we are not in a position to provide further details at this time,’’ he said.
Doing so could ‘‘adversely affect the investigation and the steps being taken to mitigate the breach’’, he said.
Orr said the file sharing service had been taken offline and the bank’s core functions and New Zealand’s financial system remained sound.
‘‘This includes our markets operations and management of the cash and payments systems.
‘‘We will provide further facts when it is appropriate to do so,’’ he said.
The incident was sufficiently serious for Prime Minister Jacinda Ardern, Finance Minister Grant Robertson and GCSB Minister Andrew Little to be informed of the attack.
The Reserve Bank warned in a report in May that it needed to ‘‘uplift’’ its cyber-security capabilities, saying it faced a ‘‘high operational risk due to technical obsolescence and an under-investment in security’’ across many of its core technology platforms.
Brett Callow, an expert with Auckland-based cyber-security firm Emsisoft, said working out exactly what happened, and what data was compromised, during a breach required a forensic investigation that could take weeks to complete.
Bankers’ Association chief executive Roger Beaumont said prior to the Reserve Bank’s update that ‘‘as it is a security issue, we understand why the Reserve Bank cannot say much more at this stage’’.
Auckland University associate professor Lech Janczewski said earlier that he would be ‘‘extremely careful’’ about pointing the finger at any type of attacker.
‘‘The analysis of the potentially affected information is being done with pace and care.’’ Adrian Orr