A patch from software vendor Accellion was released on December 24 in the US, according to a new report, leaving the hacked Reserve Bank of New Zealand little or no time to implement the fix.
Bleeping Computer, citing sources, said the hack of Accellion's legacy FTA file transfer system, used by the bank to share documents with external stakeholders, occurred on 25 December, US time.
Given the 21 hour time difference between California-based Accellion and its New Zealand customer, the equation to implement the fix only gets more difficult.
In media statements, however, the vendor said it had discovered the vulnerability in mid December and released a patch within 72 hours.
The Reserve Bank - Te Pūtea Matua and Accellion were both asked for comment. Neither opted to add to their previous statements.
The bank was also using what has been described as 20-year-old software rather than Accellion's new Kiteworks file transfer system, which the vendor said has never been breached.
As reported earlier by Reseller News last May, the bank acknowledged under investment in cyber security and other challenges within its IT services in a report signed by chief information officer Scott Fisher.
The report also outlined a new strategy to address the shortcomings.
Consulting on the planned changes, the bank reported it was at "high operational risk" due to technical obsolescence and an underinvestment in security across many of its core technology platforms.
It also said staff lacked the modern digital tools, data and systems required to effectively collaborate and to support informed decision making.
The bank noted its then digital services operating model made it hard for the business to engage with IT, struggled to meet current business demand and had unclear accountabilities.
On Monday, bank governor Adrian Orr said analysis of the potentially affected information was being done with "pace and care".
“We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation," he said.
This included the GCSB’s National Cyber Security Centre which had been notified and was providing guidance and advice.
“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised," Orr said.
“We recognise the public interest in this incident however we are not in a position to provide further details at this time.”