itb-nz logo
Story image

UPDATED: RBNZ ascribes data breach to third-party file sharing service

11 Jan 2021

The Reserve Bank (Te Pūtea Matua) has been affected by a data breach which compromised ‘commercially and personally sensitive’ information.

According to a statement issued yesterday, the bank is acting with urgency to uncover the source and implications of the breach.

Reserve Bank Governor Adrian Orr says the breach has been contained. The bank is working with both New Zealand and international cybersecurity experts and authorities, including the National Cyber Security Centre (NCSC) to conduct its investigation.

According to the statement, attackers accessed a third-party file sharing service called FTA that the bank uses to share and store information. This service, provided by Accellion, was 'illegally accessed'.

Work is continuing to confirm the nature and extent of information that has been potentially accessed, and the system has been taken offline. The compromised data may include some commercially and personally sensitive information.

“The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information,” says Orr.

“The system has been secured and taken offline until we have completed our initial investigations. It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed. Our core functions remain sound and operational.”

In October 2020 the bank commenced draft guidance on the expectations around cyber resilience. This includes cyber risk management relating to all entities that the Reserve Bank regulates.

The aim is to educate boards and senior management about cyber risk management within institutions.

“As cyber risk continues to rise, there is growing awareness that cyber incidents could present risks to the stability of the entire financial system. Improving cyber resilience has become a key priority for prudential regulators around the world,” commented Deputy Governor and General Manager of Financial Stability Geoff Bascand last year.

“We are open to feedback on the guidance, but we expect it will be useful for firms as they develop their own frameworks to address the cyber risks they face.”

In 2019 the bank noted that: "Previously, the Reserve Bank took the view that public and private interests on cyber risk were relatively well aligned, but that a useful role for prudential regulators was not yet clear."

"However, cyber risks are evolving as digitalisation of the financial system deepens, and there is now broad acceptance that cyber risk presents particular challenges that set it apart from other operational risks. For instance, cyber-attacks are seen to be inevitable, rapidly evolving, and highly contagious. Among other things, these features mean that sharing information about cyber events and coordinating responses are crucial to help mitigate impacts and promote the resilience of the financial system."

The bank believes its role is to help promote information sharing and guidance, particularly risk management guidance, which is what it aims to achieve.

Feedback on the draft guidance closes on 29 January.

Details of the information gathering and sharing plan are under development and will be published for public consultation in mid-2021.

Story image
Vodafone NZ fast-tracks regional investment programme
"Each year we invest hundreds of millions of dollars into our digital infrastructure, but we are really ramping it up this year and beyond."More
Story image
The technology trends shaping automation in 2021
Companies have more automation options now than ever before. But understanding these options, how they relate and knowing how best to connect and orchestrate them across the entire organisation is essential to getting automation right.More
Story image
The State of Data Virtualisation: Enterprises see data virtualisation as strong alternative to data warehouse solutions
"The rapid growth of data virtualisation is exposing major cracks in the business foundation that supports the technology."More
Story image
Databricks launches on Google Cloud 
Under the partnership, organisations can now use Databricks to create a lakehouse capable of data engineering, data science, machine learning, and analytics on Google Cloud’s global, scalable, and elastic network. More
Story image
3 days at home, 2 days in the office? What's the ideal working scenario in the new COVID normal?
The days of physically reporting to an office every day of the workweek are not likely to resume once the COVID-19 pandemic is over. More
Story image
CrowdStrike to acquire Humio for $400 million
The move expands CrowdStrike’s Extended Detection and Response (XDR) capabilities through Humio’s data ingestion and analytics expertise, which CrowdStrike says will deliver improved insights and better protection.More