The Reserve Bank of New Zealand says it received no warning for five days after an attack that targeted its file sharing system from US software vendor Accellion.
“We had no warning to avoid the attack which began in mid-December," bank governor Adrian Orr said today.
"Accellion failed to notify the Bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach.”
Last month, as news of the hack broke, Accellion said it had resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.
The bank was using a legacy version of Accellion's software, not the latest version called Kiteworks, which Accellion said had never been breached.
An internal bank report from last year, also indicated the bank had under-invested in cyber security.
“If we were notified at the appropriate time, we could have patched the system and avoided the breach," Orr said today.
"Our own analysis has identified shortcomings in our processes once the system was breached. The impact this had is part of the review underway.”
The Reserve Bank – Te Pūtea Matua was making solid progress in responding to the malicious breach and ensuring affected stakeholders are well supported, Orr said.
The bank had completed its assessment of the files illegally downloaded and was notifying organisations involved.
External legal advisers were also providing assurance checks and advice on any personal information which was included in the downloaded files.
“For security reasons, we can’t provide specific details about the number of files downloaded, or information they contain," the governor said.
"We have been in regular communication with all organisations who have had files illegally downloaded."
As a priority, organisations whose files contained sensitive information have been prioritised to support them and assist in managing the impact on their customers and staff.
The Bank has engaged a specialist national identity and cyber support service IDCARE, to provide advice and support to people affected by the breach at no cost to them.
It also continued to work closely with the Office of the Privacy Commissioner.
Orr said the forensic and criminal investigations into the breach are ongoing, as well as the independent KPMG review of the Bank’s systems and processes.
“We remain committed to ensuring information is safe and secure.” Orr said.