The Reserve Bank of New Zealand – Te Pūtea Matua is making solid progress in responding to a recent malicious data breach, and ensuring affected stakeholders are well supported.
Governor Adrian Orr says the Bank has completed its assessment of the files illegally downloaded during the breach and is notifying organisations involved. External legal advisers are also providing assurance checks and advice on any personal information which was included in the downloaded files.
"We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the Bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach."
"If we were notified at the appropriate time, we could have patched the system and avoided the breach. Our own analysis has identified shortcomings in our processes once the system was breached. The impact this had is part of the review underway."
"For security reasons, we can't provide specific details about the number of files downloaded, or information they contain. We have been in regular communication with all organisations who have had files illegally downloaded.
"As a priority, we have engaged with the organisations whose files contained sensitive information, to support them and assist in managing the impact on their customers and staff.
We are working directly with these organisations to determine how many people had sensitive personal information compromised and we will ensure they are well supported."
The Bank has engaged a specialist national identity and cyber support service IDCARE, to provide advice and support to people affected by the breach at no cost to them. We continue to work closely with the Office of the Privacy Commissioner.
Mr Orr says the forensic and criminal investigations into the breach are ongoing, as well as the independent KPMG review of the Bank's systems and processes.
"We remain committed to ensuring information is safe and secure," says Mr Orr.
