Privacy commissioner closes probe into RBNZ cyber defences

New Zealand’s privacy commissioner has closed a probe into the central bank’s cyber defences, following a breach that saw hackers gain access to sensitive documents in late 2020.

The commissioner’s office ended its “compliance notice” today (September 1). The notice set out several reforms for the Reserve Bank of New Zealand to enact relating to the security of personal information.

“The RBNZ has made every change recommended and more, and we are closing this compliance notice confident that all identified areas of concern have been addressed,” said commissioner Michael Webster.

The exact details of the reforms specified by the compliance notice remain confidential, on the grounds that revealing the information might compromise efforts to rectify the issues. However, the RBNZ said they were consistent with recommendations contained in an independent report by KPMG on the cyber incident.

KPMG recommended changes including more security training and simulations, better monitoring, a clear security and risk management process, and the development of a “formal enterprise framework” for data and information management.

RBNZ governor Adrian Orr said today that the closure of the compliance notice was an “important milestone” for the bank. “We remain committed to our ongoing programme of education and training while continuing to improve our systems and processes supporting the protection and storage of information,” he said.

The cyber breach occurred in a third-party file-transfer service in December 2020. The provider of the service, Accellion, initially failed to inform the RBNZ of the breach. When the central bank’s IT team did learn of it, in early January 2021, it implemented a patch that ended the vulnerability.

However, KPMG’s report notes that during the period between the breach and the patch being implemented, hackers had access to sensitive documents. The report concludes some of this information “is likely to have been obtained by an external threat actor”.

KPMG criticised Accellion for failing to inform the central bank earlier. But it also said RBNZ staff were using the system for file storage, which was not the system’s intended use, and breached the central bank’s own guidelines.

At the time, Orr admitted the incident had revealed flaws in the RBNZ’s systems. “While we were the victim of a widespread illegal attack on the file sharing system, the reserve bank takes full responsibility for our shortfalls identified in the KPMG report,” he said.

“The reserve bank did everything right in responding to this breach,” said Webster. “They notified us immediately, they worked with us throughout the process, and they have taken on board the improvements we advised through our compliance notice.”