KPMG has reported a series of internal failings at the Reserve Bank of New Zealand that contributed to or exacerbated the impact of the data breach it suffered last December.
On 25 December 2020, the Reserve Bank was the victim of a cyber attack on a legacy third-party Accellion FTA file sharing application it used to share and store information.
The Reserve Bank of New Zealand – Te Pūtea Matua – today released the findings of the independent report on January's illegal data breach and its handling of sensitive information.
KPMG found there were initial alerts of potential malicious activity on the system in December 2020 that would have helped provide early detection had they been identified and/or followed up by the bank’s support staff.
These alerts were default alerts enabled within the system since 2015.
"There were also some key controls and working practices that were within the Bank’s control that were not implemented, and/or existing controls that were ineffective which also directly impacted the scale and impact of the data breach," KPMG found.
The system had not undergone a certification and accreditation (“C&A”) process to understand and ensure that any key risks were identified and managed.
That process typically included a systems risk assessment and controls audit and would also document the classification of the information that is stored on the system along with the high-level security requirements and information protection priorities.
"This could have highlighted the risks with the bank’s usage of the system," the report said.
Further, that usage was not limited to secure file transfers as intended.
"Working practices evolved over time to the point where the system was also used as an information repository and collaboration tool, which was not in adherence with the bank’s 2014 guidelines on acceptable use of the system," KPMG found.
"Adherence would have significantly reduced the volume of information at risk."
Reserve Bank governor Adrian Orr said today that while the bank was the victim of a widespread illegal attack on the file sharing system, the bank took full responsibility for its own shortfalls identified in the report.
“As signalled in our statements of Intent, we are well advanced on multiyear investment initiatives related to our digital systems and data management. We have prioritised these initiatives consistent with the recommendations outlined in the reports.”
The Accellion FTA solution, it emerged, was to be replaced, but that project had been delayed.
Orr also reiterated some of his statements about a lack of warning from the vendor.
“We were over reliant on Accellion – the supplier of the file transfer application – to alert us to any vulnerabilities in their system.
"In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning."
KPMG reported it did not sight evidence that the vendor informed the bank that the system vulnerability was being actively exploited at other customers.
"This information, if provided in a timely manner is highly likely to have significantly influenced key decisions that were being made by the bank at the time," the report said.
"Having said this, the nature of the information provided in relation to the software update did indicate that the updates contained 'critical, time-sensitive security fixes' which drove the immediacy of the bank’s response."
KPMG, however, outlined that there were controls and practices within the bank that needed to be improved.
If these practices were in place at the time of the illegal beach the impact would have been less.
“I am disappointed about the incident and the impact it has had on people, including our own team. I am confident, however, that we have responded with urgency, precision, and care," Orr said.
From the outset of the breach we have operated transparently and benefitted from the support of very capable domestic and international public sector cyber experts, and other private sector experts. I again extend my thanks to these people.”
“I also again extend my apologies to all individuals and institutions that were affected by this illegal breach. I especially thank the Office of the Privacy Commissioner who have worked closely with us throughout the incident.”
The bank estimated that the final cost of the breach response, including internal resources, will be around $3.5 million. All costs were covered under the bank’s baseline budgets.
The bank in general responded appropriately to the incident once it was detected and notified, KPMG found.
For instance, a major incident response plan existed and was referred to during the event.
The incident response team mobilised quickly despite having to call upon several delegated members due to the incident falling over the holiday period.
Minutes and actions were recorded and later all key documentation was transferred to a restricted location.
Appropriate escalation to the senior leadership team, key government security agencies and engagement of an external forensic security consultancy also occurred in a timely manner.
KPMG recommended several aspects of risk management and the control environment required improvement:
The risk assessment process did not formally consider appropriate mitigation actions and approval processes when a project was delayed or when key risk decisions are made by the project teams.
Acceptable use guidelines for critical systems were also not regularly reviewed or communicated and enforced across the bank.
Further, there was no consolidated register of the bank’s cyber risks and integration of the cyber risk framework with the enterprise risk framework.
The bank's information security strategy/roadmap or framework to ensure PSR/NZ Information Security Manual architecture compliance was not formalised.
The project to replace Accellion FTA also did not appear to consider the requirements of the original 2014 acceptable use guidelines document or whether delays in the project should trigger requirements for interim mitigating controls.
"We did, however, note several key controls that were either missing or not designed or operating effectively," KPMG reported.
"Some of these controls are fundamental to helping prevent other security related incidents occurring in the future."