The Reserve Bank of New Zealand has released the findings of independent reports on an illegal data breach on Christmas Day 2020 and its handling of sensitive information.

On December 25 2020, the Reserve Bank was the victim of a cyber-attack on the third-party file sharing application it used to share and store information, Accellion file transfer application (FTA). KPMG was subsequently engaged to complete an independent review of the Bank’s immediate response to the breach, and identify areas for improvements in the Bank’s systems and processes.

According to a public report commissioned by Accellion from cybersecurity forensics company FireEye, the vulnerability was first exploited by a cybercriminal group on 16 December 2020. Since then, several further similar attacks have occurred at companies and government organisations worldwide.

KPMG found that software updates to address the issue were released by the vendor in December 2020 soon after it discovered the vulnerability. However, the email tool used by Accellion failed to send the email notifications and consequently the Bank was not notified until 6 January 2021.

The investigation also revealed was that the bank was using the FTA service for more than just secure file transfers, as intended, but instead relied on it as an information repository and collaboration tool, which increased the volume of information at risk.

“While we were the victim of a widespread illegal attack on the file sharing system, the Reserve Bank takes full responsibility for our shortfalls identified in the KPMG report. The Bank accepts the findings and has, and will continue to, implement the recommendations,” Reserve Bank Governor Adrian Orr says.

“We were over reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning.

“KPMG outline that there are controls and practices within the Bank that needed to be, and are being, improved. If these practices were in place at the time of the illegal breach the impact would have been less,” says Mr Orr.

“I am disappointed about the incident and the impact it has had on people, including our own team. I am confident, however, that we have responded with urgency, precision, and care. 

From the outset of the breach we have operated transparently and benefitted from the support of very capable domestic and international public sector cyber experts, and other private sector experts. I again extend my thanks to these people.” 

“I also again extend my apologies to all individuals and institutions that were affected by this illegal breach. I especially thank the Office of the Privacy Commissioner who have worked closely with us throughout the incident.”

Background

In January 2021, the Reserve Bank reported a data breach of a third-party file sharing software application – Accellion FTA – that was used to share and store information.

As part of the investigation into the breach the Bank engaged KPMG to undertake an independent review of its systems and processes.

The Bank estimates that the final cost of the breach response, including internal resources, will be around $NZ3.5 million. All costs associated with the breach were covered under the Bank’s baseline budgets.

In late 2020, the Bank engaged Deloitte to undertake an independent investigation to help improve its handling of sensitive information. This followed two incidents where sensitive information was incorrectly stored in a draft internal report, and information accidentally was disclosed to a small group of financial services firms a short time before it was made public. Initiatives are also underway to address the recommendations in that report.

Deloitte includes a series of recommendations on how the Reserve Bank could improve its handling of sensitive information, and reduce the potential for further breaches in the future. They are listed below. The Reserve Bank says initiatives are underway to address Deloitte's recommendations.

a. Update the RBNZ Access, Security and Classifications Policy to specifically make provision for classification categories that the Bank would have, as opposed to using the generic Protective Security Requirements (PSR) classification categories, to make it easy for users to accurately classify information.

b. Create information handling procedures for each classification category defined in the updated policy, which stipulates where information may be stored, who it may be shared with and how it should be handled throughout its lifecycle.

c. Implement a solution which would enable the easy classification of files when created or received by Bank employees. This could be a new technology solution or enabling a feature of a solution that RBNZ has already implemented.

d. Run user awareness campaigns and training once the foundational components above have been developed and implemented, to drive the rapid adoption of the new procedures related to sensitive information.

e. Undertake a tactical review of the members of Active Directory groups providing access to Documentum folders which would likely contain sensitive information, to confirm that their role within the organisation would require access to the folder. Once this tactical review is completed, a wider review of all privileges for all employees should be undertaken.

f. Perform a review of user access within the Bank, to confirm that the access provisioned for each user is commensurate with their role within the Bank. These reviews should include sign off by management of each department to confirm that appropriate levels of access are provided.

g. Expedite the initiatives related to identity governance and management which the Bank has planned for FY2022, to enable the principle of least privilege to be applied and access to be controlled and managed centrally.

h. Treat all incidents related to sensitive information as a data breach, to make sure the relevant stakeholders are informed and the right process for response, communication and investigation are executed in a timely manner.

i. Create a playbook specifically for the management of incidents that relate to information breaches, with the key activities to undertake during the response process.

More information

May 2021 – KPMG Data Breach Incident Assessment – summary report

February 2021 - Deloitte Report into internal information breaches

Reserve Bank data breach webpage