NewsBite

Data risk after RBNZ hit by cyber attack

The Reserve Bank of New Zealand is urgently investigating a cyber attack which it says could have involved personal information.

The Reserve Bank of New Zealand says it is responding with urgency to a breach of one of its data systems. Photographer: Bloomberg
The Reserve Bank of New Zealand says it is responding with urgency to a breach of one of its data systems. Photographer: Bloomberg

The Reserve Bank of New Zealand is urgently investigating a breach of one of its data systems but says it will take time to determine the impact of the attack.

The central bank on Sunday revealed that a third-party file sharing service it used to share and store sensitive information had been illegally accessed.

RBNZ governor Adrian Orr said the breach had been contained, and the bank was treating the matter at the highest priority.

Mr Orr on Monday named the third party file sharing service as Accellion FTA and detailed the steps the bank was taking to investigate the incident.

“We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation,” he said.

“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.”

California-based Accellion’s FTA service enables organisations to transfer large and sensitive files. The transfers are supposed to be secure, “using a 100 per cent private cloud,” according to its website.

Mr Orr said the central bank could not yet reveal further details on the incident but confirmed that New Zealand’s National Cyber Security Centre had been notified and was providing guidance and advice.

The analysis of the potentially affected information was being done “with pace and care”, he said.

“The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information,” he said.

The system has been secured and taken offline until the central bank completes its investigations.

Meanwhile, the bank is currently working with system users about alternative ways to securely share data.

“It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed. Our core functions remain sound and operational,” Mr Orr said.

The central bank’s core functions and New Zealand’s financial system remains sound, he added.

Chief information security officer for cyber protection company Acronis, Kevin Reed, said New Zealand had been stepping up on measures to boost its cyber defences, taking part in intelligence sharing with other major countries around the world.

This, ironically, made it “a juicy target for attackers,” he told said.

“There’s no way to trace the breach back to the perpetrator until the investigation is complete,” Mr Reed said.

“It could be anything between a state sponsored attack or a simple automated attack on a misconfigured server/system. However, government entities aren’t known for paying ransoms, so threatening to leak data will likely not be profitable for the attacker – their goal could be simply to create mayhem.”

After blocking external access, the bank will need to review its logs to determine the damage and then establish how to proceed, he added.

“This could take a few days for an initial patch, and potentially weeks or months before a permanent fix is in place.”

The frequency of cyberattacks around the globe has surged over the past year, with an increasing number of corporate and public sector entities victims of such breaches.

New Zealand’s stock exchange was in August the subject of a cyber attack that forced it to halt trade over a number of days.

In Australia, Prime Minister Scott Morrison in June warned that organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure, were suffering increasing cyber attacks.

The Australian Cyber Security Centre, which leads the Australian government’s efforts to improve cyber security, last year warned that “malicious cyber actors” were seeking to exploit the COVID-19 pandemic for their own gain.

Among large corporates, cleaning services company Spotless was hit by a cyber attack in October, forcing it to temporarily shut down some of its IT services.

Other high-profile Australian companies to be hit by cyber attacks in 2020 included Toll and Lion Group.

Add your comment to this story

To join the conversation, please Don't have an account? Register

Join the conversation, you are commenting as Logout

Original URL: https://www.theaustralian.com.au/business/technology/data-risk-after-rbnz-hit-by-cyber-attack/news-story/a4e1298cbb03add610f6c1c09a275eb6