NZ Reserve Bank Governor Says He 'Owns' BreachFlaw in Accellion's File Transfer Appliance Likely Led to Incident
The governor of New Zealand’s Reserve Bank, the nation's central bank, says he “personally owns” responsibility for a data breach that exposed private and sensitive stakeholder information.
On Friday, Gov. Adrian Orr said that the bank’s actions “have fallen short of the public’s expectations. This is why I am unreservedly apologizing,” according to a video included as part of a statement.
The bank disclosed on Jan. 10 that hackers had compromised the bank’s File Transfer Appliance, which is part of the file-sharing service from Accellion, a company based in Palo Alto, California. The central bank used the service to share information with stakeholders (see: Reserve Bank of New Zealand Investigates Data Breach).
Orr says the breach raises serious questions over why it occurred and how to better secure the bank’s systems. He says the bank has retained a third party to conduct a review.
Affected stakeholders have been contacted, Orr says. But he says details of what data was accessed can’t be released because that might affect the investigation or future defensive steps.
“This is a complex process, and at this point, accuracy is absolutely necessary,” Orr says. “That is our driver.”
The bank is working with domestic and international cybersecurity teams, including the Government Communications Security Bureau's National Cyber Security Center, which provides cybersecurity to the New Zealand government and the nation's critical infrastructure.
The bank has said the incident has not affected its day-to-day work, such as market operations and the management of cash and payments systems.
‘Legacy’ Appliance with Flaw
Orr didn’t go into detail about how the breach occurred. But information released by Accellion provides a picture of what went wrong.
On Jan. 11, Accellion released a statement saying that it warned customers of what it termed a “P0” vulnerability in its “legacy” File Transfer Appliance.
“Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected,” the company said in a statement.
One plausible scenario is that the Reserve Bank didn’t patch the flaw before hackers managed to access its data.
Accellion’s File Transfer Appliance was designed as a secure alternative to sending large files over email or FTP. The product has been around for 20 years.
The company has been nudging customers toward its Kiteworks content-sharing platform for at least two years while still supporting File Transfer Appliance. Kiteworks launched seven years ago.
“While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to Kiteworks, the modern enterprise content firewall platform, for the highest level of security and confidence,” Accellion’s statement says.
In February 2017, NCC Group published an advisory warning of several vulnerabilities in File Transfer Appliance. NCC Group found that “unauthenticated attackers can execute arbitrary code on Accellion File Transfer Appliances with web server user privileges.”
New Zealand’s central bank, also known as Te Pūtea Matua, was established in 1934. It has been owned by the government of New Zealand since 1936.