Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Reserve Bank hack: bank may not have applied patch in time

Tuesday, 12 January 2021

The Reserve Bank was very clearly going to be printing an awful lot of money. And if the Reserve Bank had been more active than we all expected in April, why has the exchange rate appreciated?
The Reserve Bank was very clearly going to be printing an awful lot of money. And if the Reserve Bank had been more active than we all expected in April, why has the exchange rate appreciated?

The company that supplied the software that resulted in a Reserve Bank hack said it discovered a vulnerability in its software in “mid-December” but issued a patch to fix the problem three days later.

The Reserve Bank would not comment on whether it immediately applied the patch, and if it didn’t why that was.

The bank said on Monday that a file-sharing system provided by Californian company Accellion had been hacked, potentially exposing commercially sensitive and personal information held by the bank.

Reserve Bank governor Adrian Orr said it had been advised by Accellion that the Reserve Bank had not been specifically targeted and that other users of the software, called FTA (File Transfer Appliance), were also compromised.

**READ MORE:

* Reserve Bank reveals more details of cyber-attack

* US National Security Agency finds security flaw in Microsoft's Windows 10, free fix issued

* Insurers let down at least 75,000 customers, FMA and Reserve Bank say

**

The bank first publicly disclosed the hack on Sunday, but the Office of the Privacy Commissioner said it had been advised on the breach on Saturday.

The bank has not provided more information on the impact of the hack, including whether it could have financial implications for the bank or the companies it regulates.

Accellion spokesman Rob Dougherty said it became aware of a “P0” vulnerability in an old version of its FTA software in mid-December and sent out a patch to the fewer than 50 organisations affected “within 72 hours”.

P0 is term used in the industry to describe a vulnerability that could be classified as a worst-case scenario.

Dougherty described the version of its FTA software that was vulnerable to the exploit as a “legacy” system that was 20 years old.

“Accellion’s flagship enterprise content firewall platform, kiteworks, was not involved in any way.

“The kiteworks product has never reported a vulnerability during its four years in the marketplace,” he said.

Accellion’s version of events indicates that the FTA system the Reserve Bank was using was hosted by the bank rather than cloud-based.

Its comment about a patch being available raises fresh questions for the Reserve Bank, which stated in a May report that it needed to “uplift” its cyber-security capabilities because of “technical obsolescence and an under-investment in security” across many of its core technology platforms.

The Reserve Bank was not providing further comment on Tuesday.

Orr said on Monday that the Reserve Bank would “provide further facts when it is appropriate to do so”.