RBNZ breach: Insider warned of risks
Incident highlights wider failing, says IT industry
The Reserve Bank has revealed that it was an overseas provider whose systems were breached, potentially exposing sensitive RBNZ files. That’s drawn the ire of a local IT industry group that says the incident highlights a wider failing in government strategy that has weakened our defences.
The data breach also followed a May 2020 consultation document by the bank’s chief information officer, Scott Fisher, that highlighted the need for more investment in IT, and a sweeping restructure of its IT structure and personnel.
Fisher’s report said there was “high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms”.
It added: “Our people lack the modern digital tools, data and systems required to effectively collaborate and to support informed decisionmaking.”
The Herald has asked the RBNZ how many of Fisher’s recommended changes were implemented. A second RBNZ initiative, involving enhanced cyber-security for its partners, is still subject to a consultation process that closes on January 29.
On Sunday, the RBNZ said it was responding with urgency after a thirdparty service, now named as the USbased Accellion, was illegally accessed.
The RBNZ uses Accellion to share data with banks and insurance companies.
Reserve Bank governor Adrian Orr said the Accellion file-transfer system had been taken offline while investigations were under way.
“This wasn’t a specific attack on the Reserve Bank, and other users of the file-sharing application were also compromised.
“Our core functions and New Zealand’s financial system remain sound, and Te Pu¯tea Matua is open for business. This includes our markets operations and management of the cash and payments systems.”
Work is continuing to confirm the nature and extent of information that has been potentially accessed. The compromised data may include some commercially and personally sensitive information, Orr said.
Christmas daze?
Meanwhile, the National Cyber Security Centre, a unit of the GCSB, has confirmed it is assisting the Reserve Bank following the hack.
A cyber-security insider told the Herald that Accellion first notified all of its customers, including the RBNZ, of the file-sharing breach on December 24 and issued a patch, but that the RBNZ did not implement the patch or take its files offline until January 7.
Neither the RBNZ nor Accellion (which did not immediately respond to questions) has given a timeline for the data breach.
The insider said 25 to 30 Accellion customers had been hit by the breach, which involved an SQLinjection attack, where malicious code is planted that allows a hacker to view, modify or delete files on a database
NZRise: Wider questions raised
NZRise co-founder Don Christie says the incident raises broader questions about not just the Reserve Bank’s IT policy, but the Government’s wider technology strategy.
While acknowledging that the central bank takes security very seriously, Christie questions its approach to file-sharing.
“It seems likely that RBNZ is using a third-party platform and it seems likely that this would be a very highvalue target for hackers, similar to SolarWind which was hacked last year and used widely by government agencies across the world,” he says.
“In my view, the NZ Government needs to urgently review its IT strategy,” adds Christie, who is also a director of one of the largest local IT services and cloud providers, Catalyst.
“Right now, individual agencies are being mandated to move as fast as possible to overseas infrastructure and overseas SaaS [software-asa-service] suppliers. That’s very shortterm thinking and requires a high degree of effectively unproven trust. Time and time again the model has been proven to fail as state-sponsored warfare becomes more prevalent.”
An over-reliance on this one-sizefits-all strategy leaves NZ without the agility to respond to threats and compromises at a local level, Christie says.
“It also leaves us vulnerable to the whims of overseas actors. Who knows who would have control over many of these platforms had the coup attempt of January 6 in Washington DC been successful?”
An NZRise study released in November found that only about a third of government IT tenders, by dollar value, were awarded to New Zealand-owned companies for the previous year.
The lobby group argues that more business should be awarded locally, in part for skills development and to increase our tax base, and in part because of issues such as data sovereignty, and the fact that multinationals often prove difficult to regulate.
“We are simply not building a national view on resilience and capability and we are not co-ordinating investment and procurement across government agencies. If we put more focus on the latter the investment case for building much more shared infrastructure and capability in New Zealand would become far more positive,” Christie says.
“This is not to say that New Zealand tech is more secure than anyone else’s but we can verify and audit respond much more easily onshore than we can offshore. Indeed, many NZ companies experience far more oversight than our overseas competitors simply because we are so close,” Christie says.
“Keep in mind that the Europeans are about to spend billions of Euros building their own cloud and other infrastructure. It’s likely this investment will produce more open source systems, such as Open Stack and Kubernetes that NZ can leverage. Indeed, if we played our cards right we could think about joining that initiative with a view of giving NZ more technical independence.
“This rethink will require good political leadership and a radical shake-up of government IT leadership.”