Reserve Bank of New Zealand Investigates Data BreachHackers Gained Network Access Through Accellion File-Sharing Service
The Reserve Bank of New Zealand disclosed Sunday that hackers infiltrated its network after compromising its file-sharing system from Accellion. The nation's central bank says the attack may have exposed commercial and consumer information, and other Accellion customers also had systems compromised.
"The breach is contained, but it will take time to determine the impact," the bank's governor, Adrian Orr, says in a statement. "The analysis of the potentially affected information is being done with pace and care. We recognize the public interest in this incident. However, we are not in a position to provide further details at this time."
The central bank says its file-sharing service from Palo Alto, California-based Accellion enables it to share information with external stakeholders.
"We have been advised by the third-party provider that this wasn't a specific attack on the Reserve Bank, and other users of the file-sharing application were also compromised," the bank says.
The central bank, also known as Te Pūtea Matua, was established in 1934. It has been wholly owned by the government of New Zealand since 1936.
The bank's file-sharing service has been secured and taken offline, Orr says. The bank is conducting an investigation in conjunction with domestic and international cybersecurity teams, including the Government Communications Security Bureau's National Cyber Security Center, which provides cybersecurity to the New Zealand government and the nation's critical infrastructure.
The bank says it's in communication with users of its file-sharing service and is investigating alternative methods for securely sharing data. It's continuing to investigate the type and amount of information that may have been accessed, it says.
"Our core functions and New Zealand's financial system remain sound, and Te Pūtea Matua is open for business," Orr says. "This includes our markets operations and management of the cash and payments systems."
New Zealand's National Cyber Security Center tells Information Security Media Group that it's providing guidance and advice to the nation's central bank about the security incident. The center says the bank has taken the proper steps to mitigate the issue.
The bank did not immediately reply to a request for additional comment.
Accellion tells ISMG it was made aware of a critical vulnerability in its 20-year-old file transfer appliance in mid-December and issued a patch within 72 hours. The company estimates less than 50 customers were affected.
Bank's Cyber Policy
In October, New Zealand's central bank issued a draft framework on cyber resilience for all entities regulated by the bank, including banks, non-bank deposit takers, insurers and financial market infrastructures. A primary aim is to raise awareness among boards and senior management and promote accountability for managing cyber risk within institutions.
The framework is in a public comment phase that will end on Jan. 29, which will be followed by the bank issuing a final guidance paper.
In August, the New Zealand Stock Exchange was hit with a distributed denial-of-service attack that knocked trading offline for several days (see: New Zealand Stock Exchange Trades Again After DDoS).