22 Jan 2021

Reserve Bank tells stakeholders what information was stolen during data breach

2:11 pm on 22 January 2021

How a "malicious and illegal breach" was able to occur and what information was taken from the Reserve Bank is now known.

Reserve Bank

The Reserve Bank's core functions were unaffected, sound and operational during a recent data breach. Photo: RNZ

Earlier in the month the central bank confirmed one of its data systems, a file-sharing application known as Accellion, had been compromised.

Governor Adrian Orr said after an investigation by the bank, police and forensic security specialists the cause of the breach was now known and resolved.

"Based on the results of our investigation and analysis to date we have been able to tell stakeholders which of their files on the File Transfer Application (FTA) were downloaded illegally during the breach.

"This prioritised analysis is continuing and we are supporting stakeholders to manage risks and respond appropriately.

"We are also keeping the Office of the Privacy Commissioner regularly informed and we're taking its guidance."

The bank's core functions were unaffected, sound and operational.

Previously, Orr said Accellion, a third-party service used to share and store sensitive information had not been hacked, but rather its data was compromised when its FTA software defences were breached.

Accellion advised the central bank in mid-December that it had discovered a vulnerability in the FTA.

Orr said questions remained for the suppler of Accellion, which were the subject of an independent investigation by the business advisory firm KPMG.

An update on the review process would be provided next week.

Get the RNZ app

for ad-free news and current affairs