Orr says bank has ‘fallen short’
Reserve Bank governor Adrian Orr has ‘‘apologised unreservedly’’ for what he now says was a significant data breach stemming from the hack of a file-sharing software application it used to communicate.
‘‘While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement, the bank has also fallen short of the standards expected by our stakeholders,’’ he said.
Suspicions have been raised the bank did not quickly apply a patch to fix a major vulnerability identified by the software’s supplier, California company Accellion, after it was first discovered in December.
The software system is believed to have been used by the central bank to receive large files containing confidential information from banks, in its capacity as a regulator of the banking sector.
‘‘We apologise unreservedly to all of those impacted by the breach.
‘‘Personally, I own this issue and I am disappointed and sorry,’’ Orr said.
Orr said the bank’s investigation had shown it was dealing with ‘‘a significant data breach’’.
A forensic cyber investigation was under way and the bank was working with ‘‘affected stakeholders’’ whose information may have been breached, he said. ‘‘We acknowledge there are serious questions that need to be answered about how this incident occurred and how to strengthen our systems and processes.’’
The bank noted in a May report that it needed to ‘‘uplift’’ its cyber-security capabilities. An IT contractor with experience working at the Reserve Bank told Stuff that as of several years ago it did not appear to have strong governance arrangements for information security, and questioned whether it currently employed anyone with clear accountability for that.
Orr said that in addition to the investigation under way, the bank had appointed ‘‘an independent third party’’ to undertake a comprehensive general review of the incident. ‘‘We will be as transparent and clear as possible as this progresses, and will release the review’s terms of reference shortly.’’
The bank’s immediate focus was on working directly with system users and those who may have had their information compromised, he said.
‘‘It is a complex process and accuracy and security are important.
‘‘As our investigations progress, we are prioritising direct engagement with institutions and individuals affected.’’
Orr said the bank was not in a position to provide further details on the investigation now, as that could ‘‘adversely affect the investigation and the steps being taken to mitigate the breach’’.
Bankers’ Association chief executive Roger Beaumont said on Monday that it understood why the Reserve Bank had been unable to say much at that time.
Spokesman Philip van Dyk said yesterday that it had no further comment at this stage.