10 Feb 2021

RBNZ cyber breach: Accellion remains tight-lipped on timing of comms

11:53 am on 10 February 2021

The software firm at the centre of a cyber breach won't be drawn on whether it kept the Reserve Bank in the dark about a fault in its systems.

Reserve Bank of New Zealand

Reserve Bank of New Zealand Photo: RNZ / Alexander Robertson

The central bank revealed last month a third party file sharing service it uses to store and send sensitive information was hacked.

At the time, the US company which operates the software, Accellion, said it discovered a vulnerability in its software in mid-December and notified its customers within 72 hours about a patch to fix the issue.

However, the Reserve Bank disputes this.

In a statement released yesterday, the bank's governor Adrian Orr said it took Accellion five days to notify it about the problem, in which time it could have avoided the hack.

"We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach.

In response to the central bank's claim, a spokesperson for Accellion said it would not comment on individual customers.

"Accellion is conducting a full assessment of the File Transfer Appliance (FTA) data security incident with an industry-leading cybersecurity forensics firm.

"We will share more information once this assessment is complete. For their protection, we do not comment on specific customers."

The spokesperson said it was working with its clients who were caught up in the breach to move them to its premier file sharing platform which had the highest level of security.

Get the RNZ app

for ad-free news and current affairs