The Reserve Bank of New Zealand - Te Pūtea Matua, which revealed a breach of sensitive data yesterday, acknowledged a series of cyber security shortcomings in a consultation document last year.
Consulting on planned changes to improve IT services including data security, the bank reported it was at "high operational risk" due to technical obsolescence and an underinvestment in security across many of its core technology platforms.
It also said staff lacked the modern digital tools, data and systems required to effectively collaborate and to support informed decision making.
The bank noted its then digital services operating model made it hard for the business to engage with IT, struggled to meet current business demand and had unclear accountabilities.
The document outlined a plan to change structures and accountabilities within its digital services team to address the issues starting around the middle of 2020.
Yesterday, the bank said it was responding with urgency to a breach of a third party file sharing service used by to share and store some sensitive information.
Governor Adrian Orr said information had been illegally accessed but the breach had been contained and the bank was treating the matter with the "highest priority, and acting with urgency".
The name of the file sharing application was withheld from yesterday's announcement, however, the consultation document noted a system called Kiteworks, from California-based Accellion, was being used for file sharing as of last May.
Reseller News has asked the bank whether or not this was the system breached, among other questions. (Update: it now appears the breach was of a legacy Accellion file sharing system called File Transfer Application - FTA, not Kiteworks.)
In response, a spokesperson said the bank would not comment on the third party application involved and a further announcement was being considered, perhaps later today.
“We are working closely with domestic and international cyber security experts and other relevant authorities as part of our investigation and response to this malicious attack," Orr said in his statement yesterday.
"The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information.
“The system has been secured and taken offline until we have completed our initial investigations."
Orr said it would take time to understand the full implications of the breach, and the bank was working with system users whose information may have been accessed.
File sharing is widely acknowledged as an area of significant cyber security risk.