RBNZ says partner Accellion kept it in the dark about data breach

"We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the Bank for five days," Reserve Bank Governor Adrian Orr says. Photo / Mark Mitchell

The Reserve Bank was kept in the dark for a crucial five days about a December data breach, Governor Adrian Orr says - contradicting its technology partner's version of events.

The incident - which saw sensitive data stolen - involved a file-sharing service run by US company Accellion.

"We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the Bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach."

"If we were notified at the appropriate time, we could have patched the system and avoided the breach. Our own analysis has identified shortcomings in our processes once the system was breached. The impact this had is part of the review underway."

Orr's claim runs contrary to a January 12 statement by Accellion, which said, "Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected."

Accellion's overall timeline of three days is shorter than Orr's claim of five. The US-based Accellion did not immediately respond to a question about whether it immediately informed customers when it discovered the vulnerability, or if it waited until the patch was ready.

There are also broader timeline questions that will have to be resolved by an investigation currently underway by KPMG.

They include why the RBNZ had not acted faster on a May 2020 report by the bank's chief information officer, Scott Fisher, warned there was "high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms".

Also why the RBNZ was still using a 20-year-old Accellion file-sharing service called FTA, when for the US company had been encouraging customers to upgrade to a more secure alternative, Kiteworks, for four years. Kiteworks was referenced in Fisher's report.

It has also been alleged by a cyber-security insider that the RBNZ learned of the vulnerability on December 24, but did not take action until January 7. The bank has not released any timeline of events at this point.

Orr also said today that "The Reserve Bank is making solid progress in responding to a recent malicious data breach, and ensuring affected stakeholders are well supported.

The RBNZ has completed its assessment of the files illegally downloaded during the breach and is notifying organisations involved, Orr said.

External legal advisers are also providing assurance checks and advice on any personal information which was included in the downloaded files.

"For security reasons, we can't provide specific details about the number of files downloaded, or information they contain. We have been in regular communication with all organisations who have had files illegally downloaded," Orr said.

"As a priority, we have engaged with the organisations whose files contained sensitive information, to support them and assist in managing the impact on their customers and staff.

"We are working directly with these organisations to determine how many people had sensitive personal information compromised and we will ensure they are well supported."

"The Bank has engaged a specialist national identity and cyber support service IDCARE, to provide advice and support to people affected by the breach at no cost to them. We continue to work closely with the Office of the Privacy Commissioner.

Orr said the forensic and criminal investigations into the breach are ongoing, as well as the independent KPMG review of the Bank's systems and processes.