Cybercrime , Forensics , Fraud Management & Cybercrime

NZ Reserve Bank Issues Update on Accellion Breach

Bank Identifies Files That Were Removed
NZ Reserve Bank Issues Update on Accellion Breach
Reserve Bank of New Zealand Gov. Adrian Orr

The Reserve Bank of New Zealand issued an update Monday on the data breach it sustained in December 2020, saying it has identified the records that were compromised and offering a timeline of the incident (see: NZ Reserve Bank Governor Says He 'Owns' Breach).

See Also: How to Build Your Cyber Recovery Playbook

"We have completed our assessment of the files illegally downloaded during the breach and are notifying the organizations whose files contained sensitive information to support them and assist in managing the impact on their customers and staff," says Adrian Orr, the reserve bank's governor.

The Reserve Bank's investigation found that files removed from the bank's systems exposed data that included personal email addresses, dates of birth and credit information, Orr says.

The bank has brought in KPMG to conduct an additional independent review of its systems and processes. "Our core functions remain unaffected, sound and operational," Orr notes.

Accellion's FTA Breached

The bank reported in January that hackers had compromised Accellion's File Transfer Appliance, which the central bank used to securely share large data files with stakeholders.

The bank closed its connection to FTA when the breach was discovered, with Orr issuing an apology earlier this month for the bank falling short of the security standards its customers expect.

Accellion has issued an end-of-life warning for its FTA product effective April 30, and the company is now attempting to shift its customers over to its newer - and what it believes to be a more secure - Kiteworks platform.

Those Affected by FTA Vulnerability

Several Accellion FTA clients began reporting incidents starting in mid-December 2020, resulting in Accellion identifying several vulnerabilities and issuing a patch to fix the issue on Dec. 20. But Orr says Accellion never informed the bank the patch was available.

"There was a period of five days from the patch on 20 December until 25 December when the breach occurred, during which the bank would have applied the patch if it had been notified it was available," the bank reports in this week's update. The bank eventually applied the patch in early January.

The breach took place on Dec. 25 when files were downloaded from the FTA without authorization, the bank reports. For security reasons, the bank is not revealing the number of files or more specific details on the information they contained, Orr says. The exposed files - individual submissions made by organizations to the FTA - include Word documents, PDFs, zip files and those in other formats.

The bank says it will reveal additional details as the investigation continues.

Other victims of breaches tied to Accellion's FTA include Singapore telecom company Singtel, Australian medical research institute QIMR Berghofer, the Australian Securities and Investments Commission and the Washington state auditor in the U.S. (see: 2 More Breaches Tied to Accellion File Transfer Appliance).

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.