The Reserve Bank of New Zealand – Te Pūtea Matua is replacing the file transfer application breached in a "malicious" cyber attack over the Christmas period.
A new secure file transfer system was expected to be in place next month, Reserve Bank governor Adrian Orr said today. The old system had already been shut down.
The breach targeted a legacy file sharing application from US company Accellion, which has been trying to get its remaining users to upgrade to the latest, cloud-based version, called Kiteworks.
Reseller News revealed the software involved after it was referenced in an internal consultation report last May. However, for reasons still unknown the bank appeared to have incorrectly specified it was using the new version of the software.
Earlier, Orr had said there are serious questions that have been answered by the team at the bank and there were "more for the supplier of the system that was breached".
The bank did not say today whether it was upgrading with Accellion to Kiteworks or implementing a product from another vendor.
The bank said it expected to receive a review of the incident by KPMG by the end of March after releasing the terms of reference today.
"We will continue to be as transparent as possible, being mindful of privacy and issues of commercial sensitivity, as well as the ongoing criminal investigation,” Orr said.
Orr said the review was in addition to the forensic and criminal investigations still under way with a focus on improving systems and work practices.
The scope of the review specifically excluded detailed assessment of the vendor control environment and software development processes and procedures.
It also excluded any comprehensive business wide review of information management practices, as the bank was scheduling this for later in the year.
“The recent attack on the externally facing system used by the bank revealed some service provision shortcomings and lessons for us on how we protect and manage the information we need to do our job," he said.
“We’ve asked KPMG to take a wider view of how the bank manages information and what improvements we can make.
“Just after the breach, I apologised for falling short of the standards expected by our stakeholders, and the standards we set for ourselves. This KPMG review is just one of the ways we are working to put that right."
Orr said the bank was being well supported in its response by domestic and international cyber security experts and relevant authorities and counterparts.
“We continue to work closely with the organisations whose files were illegally downloaded and I would like to reiterate my thanks for their continued support and cooperation,” Orr said.