Reserve bank governor Adrian Orr told Parliament that while there were shortcomings in the bank's response to a major data breach, it had been let down by the vendor of its software.
Orr said the calendar year "started with a thump" with the malicious attack on its 20-year-old Accellion file transfer application, used to share sensitive documents with the banks and other entities it regulates.
While re-emphasising his previous statements that the bank had no warning from the vendor about the hacked software, Orr told the Finance and Expenditure Committee the bank had identified shortcomings in its response once its own alert system said there was someone inside its system.
"I just want to emphasise that, you know, the bank has been a victim of a crime, and, yes, we’ll always have lessons, but, you know, this is the challenging nature of cyber risks," Orr said in an uncorrected transcript of the February meeting.
The bank was not the specific target of the attack, he said, but was caught in a broad global attack on users of Accellion's software around the world.
"I do want to state that we had no warning of the attack, which had begun in mid-December," he reiterated.
"The providers of this application failed to notify us for at least five days that an attack was occurring against its customers broadly and that a patch was available that could’ve headed off this attack if we were made aware that any of this was happening."
In answer to a question about the chronology of the attack and the bank's response by Hunua National Party MP Andrew Bayly, Orr said some of the dates Bayly cited were from an Accellion press release, which he couldn't talk to.
"I can only talk to the facts that we know and the facts that are forensically understood," Orr said.
"So you’d have to ask the providers around why they are saying that. The facts are that the 17 December date—a patch was released on 17 December and 20 December to some of their customers.
"We don’t know who those customers are; that’s their commercial sensitive behaviour. We were not one of those fortunate customers that were either notified that there was a weakness in the system and/or notified that there was a patch available.
"We never received that notification until after we had a third-party malicious attacker inside of our system. Those are the facts.
"Outside of automated alerts, we only ever received word from Accellion [on] 7 January around the patch being available, and we put it on immediately.
"So whilst what they may be saying publicly is their business, those are the facts relating to Te Pūtea Matua."
Accellion has already released its own review, by cybersecurity consultancy Mandiant, which appears to partly confirm Orr's statements but also raises one potentially significant issue for the bank.
A timeline in that review appears to show that there were two distinct exploits deployed by the attackers.
Accellion was alerted to the first hack by a customer on December 16, US time, the report said. It investigated the incident for three days before releasing a patch on December 20.
The second breach became known to Accellion on January 22, although the vulnerability was first exploited on January 20. This vulnerability was patched on January 25.
The report said Accellion then issued critical security alert advising all FTA customers to shut down the system immediately.
There was no mention of any such alert being issued in response to the earlier breach, the one that affected the Reserve Bank, seemingly confirming Orr's account.
However, a detailed description of the vulnerability indicated the attackers uploaded a web shell that did trip a built-in anomaly detector included in the software.
"Once the anomaly detector is tripped, it generates an email alert to the customer (specifically to the admin email account designated by the customer), advising the customer to contact Accellion for support," the report said.
"As a result, any FTA customer affected by the December exploit likely was sent such an email – which, per Accellion, is how the December exploit came to its attention."
That raises the question of whether that system worked for the bank and issued an email warning. If it did not, why not and whose fault was that?
It also leaves open the question of whether such an automated alert on its own was adequate for the situation at hand.
Orr told MPs on the committee the impact on staff had been high.
"The team have been working seven days per week since 6 January," he said.
"You’re looking at quite a few people who bailed on holidays and weekends—all included—and we have really got our hands now on a very good position around the nature, the scale, of the breach, the documents that were downloaded, the sensitivity of those documents, the onus of those documents, and all of that is being managed through a very tightly orchestrated framework to ensure that our privacy issues are managed in accordance with the law and that institutional risks are being managed for anyone who had a sensitive document," Orr told the committee.
The governor also thanked the institutions it had been working with for their support and said the whole-of-government effort had been "fantastic".
"We’ll work through this and we will learn from it," he said.
The bank had engaged IDCARE to help make sure privacy work was managed both legally and with high sensitivity to anyone who had their data breached.
The bank has commissioned an independent review from KPMG into the breach and the bank's response which was was expected to be released before the end of March but has not yet dropped.