"Those are the facts": Reserve Bank governor stands his ground on breach timeline

"Those are the facts": Reserve Bank governor stands his ground on breach timeline

Orr: "We never received notification until after we had a third-party malicious attacker inside of our system"

Adrian Orr (Reserve Bank of NZ)

Adrian Orr (Reserve Bank of NZ)

Credit: Supplied

Reserve bank governor Adrian Orr told Parliament that while there were shortcomings in the bank's response to a major data breach, it had been let down by the vendor of its software.

Orr said the calendar year "started with a thump" with the malicious attack on its 20-year-old Accellion file transfer application, used to share sensitive documents with the banks and other entities it regulates.

While re-emphasising his previous statements that the bank had no warning from the vendor about the hacked software, Orr told the Finance and Expenditure Committee the bank had identified shortcomings in its response once its own alert system said there was someone inside its system. 

"I just want to emphasise that, you know, the bank has been a victim of a crime, and, yes, we’ll always have lessons, but, you know, this is the challenging nature of cyber risks," Orr said in an uncorrected transcript of the February meeting. 

The bank was not the specific target of the attack, he said, but was caught in a broad global attack on users of Accellion's software around the world. 

"I do want to state that we had no warning of the attack, which had begun in mid-December," he reiterated. 

"The providers of this application failed to notify us for at least five days that an attack was occurring against its customers broadly and that a patch was available that could’ve headed off this attack if we were made aware that any of this was happening."

In answer to a question about the chronology of the attack and the bank's response by Hunua National Party MP Andrew Bayly, Orr said some of the dates Bayly cited were from an Accellion press release, which he couldn't talk to.

"I can only talk to the facts that we know and the facts that are forensically understood," Orr said. 

"So you’d have to ask the providers around why they are saying that. The facts are that the 17 December date—a patch was released on 17 December and 20 December to some of their customers. 

"We don’t know who those customers are; that’s their commercial sensitive behaviour. We were not one of those fortunate customers that were either notified that there was a weakness in the system and/or notified that there was a patch available. 

"We never received that notification until after we had a third-party malicious attacker inside of our system. Those are the facts.

"Outside of automated alerts, we only ever received word from Accellion [on] 7 January around the patch being available, and we put it on immediately. 

"So whilst what they may be saying publicly is their business, those are the facts relating to Te Pūtea Matua." 

Accellion has already released its own review, by cybersecurity consultancy Mandiant, which appears to partly confirm Orr's statements but also raises one potentially significant issue for the bank.

A timeline in that review appears to show that there were two distinct exploits deployed by the attackers.

Accellion was alerted to the first hack by a customer on December 16, US time, the report said. It investigated the incident for three days before releasing a patch on December 20.

The second breach became known to Accellion on January 22, although the vulnerability was first exploited on January 20. This vulnerability was patched on January 25.

The report said Accellion then issued critical security alert advising all FTA customers to shut down the system immediately.

There was no mention of any such alert being issued in response to the earlier breach, the one that affected the Reserve Bank, seemingly confirming Orr's account.

However, a detailed description of the vulnerability indicated the attackers uploaded a web shell that did trip a built-in anomaly detector included in the software. 

"Once the anomaly detector is tripped, it generates an email alert to the customer (specifically to the admin email account designated by the customer), advising the customer to contact Accellion for support," the report said.

"As a result, any FTA customer affected by the December exploit likely was sent such an email – which, per Accellion, is how the December exploit came to its attention."

That raises the question of whether that system worked for the bank and issued an email warning. If it did not, why not and whose fault was that?

It also leaves open the question of whether such an automated alert on its own was adequate for the situation at hand.

Orr told MPs on the committee the impact on staff had been high.

"The team have been working seven days per week since 6 January," he said. 

"You’re looking at quite a few people who bailed on holidays and weekends—all included—and we have really got our hands now on a very good position around the nature, the scale, of the breach, the documents that were downloaded, the sensitivity of those documents, the onus of those documents, and all of that is being managed through a very tightly orchestrated framework to ensure that our privacy issues are managed in accordance with the law and that institutional risks are being managed for anyone who had a sensitive document," Orr told the committee.

The governor also thanked the institutions it had been working with for their support and said the whole-of-government effort had been "fantastic".

"We’ll work through this and we will learn from it," he said. 

The bank had engaged IDCARE to help make sure privacy work was managed both legally and with high sensitivity to anyone who had their data breached.

The bank has commissioned an independent review from KPMG into the breach and the bank's response which was was expected to be released before the end of March but has not yet dropped.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags breachhackReserve BankAccellion


EDGE 2024

Register your interest now for EDGE 2024!



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments