Reserve Bank reveals more details of cyber-attack

Monday, 11 January 2021

Reserve Bank governor Adrian Orr warned on Sunday it would take time to understand the implications of the breach.

The Reserve Bank has released more details of a cyber-attack that compromised the bank, saying a file-sharing system provided by Californian company Accellion had been hacked.

Reserve Bank governor Adrian Orr said it had been advised by Accellion that the Reserve Bank had not been specifically targeted and that other users of the software, called FTA (File Transfer Application), were also compromised.

The bank has not provided more information on the impact of the hack, including whether it could have financial implications for the bank – beyond saying the compromised data might include some commercially and personally sensitive information.

Orr said the file-sharing software was used to share information with “external stakeholders” and the bank was continuing to “respond with urgency to the breach”.

* Reserve Bank urgently responding to 'illegal breach of data system'

He reiterated it would take time to determine the impact of the breach.

“The analysis of the potentially affected information is being done with pace and care,” he said.

Auckland University associate professor Lech Janczewski warned against “pointing the finger” at any type of attacker at this stage.

“We are actively working with domestic and international cyber-security experts and other relevant authorities as part of our investigation.”

That included the GCSB’s National Cyber Security Centre which had been notified, and was providing guidance and advice, he said.

“We recognise the public interest in this incident, however, we are not in a position to provide further details at this time,” he said.

Doing so could “adversely affect the investigation and the steps being taken to mitigate the breach”, he said.

Orr said the file-sharing service had been taken offline, and the bank’s core functions and New Zealand’s financial system remained sound.

“This includes our markets operations, and management of the cash and payments systems.

“We will provide further facts when it is appropriate to do so,” he said.

The incident was sufficiently serious for Prime Minister Jacinda Ardern, Finance Minister Grant Robertson and GCSB Minister Andrew Little to be informed of the attack.

The Reserve Bank warned in a report in May that it needed to “uplift” its cyber-security capabilities, saying it faced a “high operational risk due to technical obsolescence and an under-investment in security” across many of its core technology platforms.

Brett Callow, an expert with Auckland-based cyber-security firm Emsisoft, said working out exactly what happened, and what data was compromised, during a breach required a forensic investigation that could take weeks to complete.

Bankers’ Association chief executive Roger Beaumont said prior to the Reserve Bank’s update that “as it is a security issue, we understand why the Reserve Bank cannot say much more at this stage”.

Auckland University associate professor Lech Janczewski said earlier that he would be “extremely careful” about pointing the finger at any type of attacker.

Stuff has approached Accellion for comment.

The privately owned company advises on its website that FTA “helps worldwide enterprises like yours transfer large and sensitive files securely using a 100 per cent private cloud, on-premise or hosted”.

The Reserve Bank has not confirmed whether it was using the latest version of the software which Accellion advertises as providing “formidable protection from internal and external threats”.

Accellion says its solutions have protected “more than 25 million end users at more than 3000 global corporations and government agencies”, including hospitals in New York, consultants KPMG and the US National Park Service.