The Governor of the Reserve Bank of New Zealand has commissioned an independent inquiry into how stakeholders’ information was compromised when hackers breached a file sharing service used by the bank.
“We apologise unreservedly to all of those impacted by the breach,” said Adrian Orr. “Personally, I own this issue. I am very disappointed and very sorry to be here giving this news.”
It continues a bad two months for Orr and the Reserve Bank, after Finance Minister Grant Robertson gave the bank a slap, writing to Orr with a hurry-up to help rein in out-of-control housing prices.
Orr said this week’s “malicious and illegal” breach of a file sharing application used by the Bank was significant, and had the Reserve Bank’s full attention.
The Bank had been warned of the vulnerability: Accelion, the file transfer application’s operator, told customers including the Reserve Bank of the risk in mid-December. The application is used to store and share sensitive information; the Bank says it has now been secured and taken offline,
He insisted New Zealand’s financial system and institutions remained sound, and said Te Pūtea Matua remained open for business. The standalone File Transfer Application system that was breached has been secured and closed.
He said the Bank had failed to meet public expectations.
“Our investigation makes it clear we are dealing with a significant data breach. While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement, the Bank has also fallen short of the standards expected by our stakeholders.”
A detailed forensic cyber investigation is underway and the Bank is working directly with affected stakeholders whose information may have been breached.
“We recognise the public interest in this incident and we acknowledge there are serious questions that need to be answered about how this incident occurred and how to strengthen our systems and processes,” Orr added.
“In addition to the forensic cyber investigation currently underway, we have appointed an independent third party to undertake a comprehensive general review of this incident. We will be as transparent and clear as possible as this progresses, and will release the review’s terms of reference shortly.”
“Our immediate focus is on working directly with system users and those who may have had their information compromised. It is a complex process and accuracy and security are important. As our investigations progress, we are prioritising direct engagement with institutions and individuals affected. We thank stakeholders for their patience and understanding.
“Be assured, we are taking action. We are working closely with public authorities and utilising international expertise as necessary. We are doing so in a whole of Government framework, and we are using the National Security System.
“We are not in a position to provide further details on the investigation at this time, as it could adversely affect the investigation and the steps being taken to mitigate the breach,” Orr concluded.
“I want to finish by saying how deeply this has impacted us at the bank and how important it is being prioritised for us personally.”
In a statement, ASB said it had been advised by the Reserve Bank there was a breach to one of its data systems, that that it had been contained and its “core functions remain sound and operational”.
“We have yet to be advised whether any information specific to ASB is involved but continue to remain in close communication with the Bank,” it said in the statement.
Westpac NZ also said it had been made aware of the incident, and said they were being kept updated about what, if any, possible impact there was to the bank.