Reserve Bank hit with compliance notice from Privacy Commissioner over data breach

Reserve Bank Governor Adrian Orr. Photo / Getty Images

The Reserve Bank has suffered the ignominy of being the first organisation to be hit by a compliance notice under the new Privacy Act, which came into force in December last year.

Privacy Commissioner John Edwards says an independent review carried out by KPMG after a December 2020 cyber attack "revealed multiple areas of non-compliance with Privacy Principle 5."

Principle 5 of the new Privacy Act states that organisations "must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information".

Failure to follow a compliance notice risks a $10,000 fine.

Reserve Bank Governor Adrian Orr said the Privacy Commissioner's findings "are consistent with the findings and recommendations in the KPMG review. We accept these findings and take full responsibility for the shortfalls identified in our systems and processes."

Orr added, "We have a detailed programme of work under way to address these. This work started shortly after the data breach through our business services improvement programme (BSIP) which continues to be a key priority for us here at Te Pūtea Matua."

In December 2020, a file-sharing service called FTA (File Transfer Application) was breached. It is operated by a US company called Accellion, which the RBNZ used to share files with its customers, who include retail banks and insurance companies.

The issue of cyber security was raised in a May 2020 (initially confidential) RBNZ report called Digital Services: Consultation for Change, with a foreword by the bank's then-chief information officer Scott Fisher, who quit the bank in June this year, calling it a "personal decision".

The report included the lacerating line that there is, "High operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms" and included a recommendation to upgrade FTA to Accellion's newer Kiteworks.

The KPMG report recommended the Reserve Bank develop more resilient systems and processes. Orr says upgrades are under way.

Edwards said this morning that he was "pleased to see the positive way they've dealt with the aftermath of the attack".