Reserve Bank of New Zealand - Te Pūtea Matua governor Adrian Orr says the bank's data breach is contained, but it will take time to determine the impact.
The bank confirmed Reseller News' report yesterday that it used software from California-based Accellion for file sharing and that this was the system breached. The bank said the specific system was called FTA, or file transfer application.
Accellion did not respond to queries emailed over night.
However, the company told local news website Stuff it discovered a vulnerability in a 20-year-old old version of its FTA software in “mid-December” and issued a patch three days later.
The bank has not yet commented on whether it applied the patch.
Accellion also said its current Kiteworks file sharing software was not involved in the breach in any way.
The Reserve Bank cited Kiteworks as in use in a report from May last year, but yesterday described the breached system as Accellion FTA.
Orr said the software was used to share information with external stakeholders. Analysis of the potentially affected information was being done with "pace and care", he said.
“We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation," he said.
This included the GCSB’s National Cyber Security Centre which had been notified and was providing guidance and advice.
“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised," Orr said.
“We recognise the public interest in this incident however we are not in a position to provide further details at this time.”
Providing any further details at this early stage could adversely affect the investigation and the steps being taken to mitigate the breach, he said.
“Our core functions and New Zealand’s financial system remain sound, and Te Pūtea Matua is open for business. This includes our markets operations and management of the cash and payments systems.”
Accellion is owned by private equity firms Baring Private Equity Asia and Bregal Sagemount.
The latter led a US$120 million fundraising round last April aiming to accelerate the adoption of Accellion's enterprise content firewall application.