Search This Blog

Showing posts with label New Zealand Reserve Bank. Show all posts

New Zealand Reserve Bank: Taking Action to Respond to Data Breach Reports

 

Two independent investigations into an unauthorized data breach and the handling of sensitive information have been announced by the Reserve Bank of New Zealand. 

“The Bank accepts the findings and has implemented, and will continue to implement, the recommendations,” stated Reserve Bank Governor Adrian Orr. 

“As signalled in our Statements of Intent, we are well advanced on multiyear investment initiatives related to our digital systems and data management. We have prioritized these initiatives consistent with the recommendations outlined in the reports". 

On December 25, 2020, the Reserve Bank became the target of a cyber-attack on the third-party application it utilizes to exchange and store information. Following that, KPMG was appointed to conduct an independent investigation into the bank's rapid response to the security incident and identify areas where the bank's systems and processes may improve. 

He also stated that, despite being the victim of a massive illegal attack on the file-sharing system, the Reserve Bank accepts complete responsibility for the inadequacies in the KPMG report. 

“We were over-reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning". 

As per KPMG, the bank's controls and processes need to be enhanced, which is now being done. If these procedures had been in place at the time of the unlawful breach, the damage would have been lessened. 

Background 

In late 2020, the Bank recruited Deloitte to conduct an independent investigation to assist the Reserve Bank of New Zealand in better managing sensitive data. This was in response to two incidents in which sensitive information was improperly kept in a draft internal report and disclosed to a small group of financial services firms just before it was made public. 

Initiatives to put the report's recommendations into action are also underway. The Bank estimates that the total cost of the security breach response, including internal resources, will be around $3.5 million.

In January 2021, the Reserve Bank discovered a data breach through Accellion FTA, a third-party file-sharing application that was utilized to share and store information. As part of the inquiry into the event, the Bank recruited KPMG to conduct an independent assessment of its systems and processes.

Threat Actor Targets New Zealand Reserve Bank to Acquire Sensitive Information

 

New Zealand’s Reserve Bank data systems were hacked by an anonymous hacker who potentially secured access to sensitive and personal information. The hacker managed to get his hands on a third-party file sharing service, the one used by Central Bank of New Zealand to share and reserve sensitive information. 

The Reserve Bank of New Zealand based in Wellington, commonly named as Te Putea Matua is accountable for generating monetary policy to stabilize prices in the nation. The Governor of Reserve Bank of New Zealand Adrian Orr assured the public that the data breach has been restrained and the bank’s core functions “remain sound and operational”. 

Threat actors have targeted a number of major organizations in New Zealand in the past year. New Zealand Stock Exchange was one of the prominent victims of the cyber attack and its servers were knocked out for nearly a week in August 2020. In a conversation with Radio New Zealand, Dave Parry the professor of computer science at Auckland University told that there might be a possibility of another government’s influence behind the Reserve Bank data leak. 

Adrian Orr stated that “we are working closely with domestic and international security experts and other relevant authorities as part of our investigation and response to this malicious attack. The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information. The system has been secured and taken offline until we have completed our initial investigations”.

Till further investigations, the Reserve Bank of New Zealand is currently considering alternative techniques to secure data and has taken its systems offline.