The Reserve Bank of New Zealand – Te Pūtea Matua's investigation into the malicious illegal breach of a third-party file sharing application has "significantly progressed", the bank said today.
Governor Adrian Orr said the investigation remained the Bank’s highest priority, including supporting stakeholders to help them manage risks from the breach and to take appropriate action.
“With the assistance of New Zealand and international police, and forensic security specialists, the cause of the breach is now understood and resolved," Orr said. "The system is closed."
The bank also now had a good understanding of the scope of the breach.
“Based on the results of our investigation and analysis to date we have been able to tell stakeholders which of their files on the File Transfer Application (FTA) were downloaded illegally during the breach.
“This prioritised analysis is continuing and we are supporting stakeholders to manage risks and respond appropriately.
“We are also keeping the Office of the Privacy Commissioner regularly informed and we’re taking its guidance.
“The Bank’s core functions are unaffected, sound and operational."
Reseller News understands the Privacy Commissioner was informed of the breach on Saturday, 9 January.
Notification of breaches of personal information is now required under New Zealand's new compulsory data breach disclosure regime, which came into effect in December.
“I’m pleased with the way the bank has stepped up in responding to this breach, and I’m thankful for the support of our public and private sector partners, but I am disappointed and sorry this data theft has occurred," Orr said.
“There are some serious questions that have been answered by the team at the bank and there are more for the supplier of the system that was breached."
The supplier, still unnamed in the bank's statement today, is US-based Accellion, as first reported by Reseller News last week.
The bank appeared to have been using a legacy version of Accellion's file transfer software, not its latest cloud-based system, called Kiteworks.
An independent review by KPMG is now underway and Orr said he would provide an update on the review next week.