The Reserve Bank of New Zealand (RBNZ) is making solid progress in supporting stakeholders affected by the recent data breach, according to Governor Adrian Orr.
In a statement, Orr said the bank has completed its assessment of the files illegally downloaded via a third-party file transfer application (FTA) service provided by Accellion during the breach. The bank is currently informing the organisations involved, while also working with external legal advisers to provide assurance checks and advice on any personal information that was exposed in the downloaded files.
“We had no warning to avoid the attack which began in mid-December,” Orr said. “Accellion failed to notify the bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach.”
Orr said that if RBNZ was notified at the appropriate time, it could have patched the system and avoided the breach. The bank eventually identified shortcomings in its processes after the system was breached, and these are being considered in the ongoing review. International auditing firm KPMG is also conducting an independent review of RBNZ’s systems and processes.
“For security reasons, we can’t provide specific details about the number of files downloaded, or information they contain,” he said. “We have been in regular communication with all organisations that have had files illegally downloaded.
“As a priority, we have engaged with the organisations whose files contained sensitive information, to support them and assist in managing the impact on their customers and staff.”
RBNZ has enlisted specialist national identity and cyber support service IDCARE to provide advice and support to people affected by the breach at no cost to them. It is also working closely with the Office of the Privacy Commissioner.
“We remain committed to ensuring information is safe and secure,” Orr said.