31 May 2021

Reserve Bank moves to address cyber vulnerability after KPMG report

5:30 pm on 31 May 2021

The Reserve Bank says it is taking action to address issues raised by an independent investigation into a data breach over the summer holiday period.

Governor of the Reserve Bank Adrian Orr.

Governor Adrian Orr says the bank accepts the findings and has, and will continue to, implement the recommendations. Photo: RNZ / Dom Thomas

A report by consultancy KPMG has uncovered shortcomings in the Reserve Bank's data protection practices, which resulted in it becoming a victim of a cyber-attack on the third-party file-sharing application it used to share and store information.

"We were over reliant on Accellion - the supplier of the file transfer application (FTA) - to alert us to any vulnerabilities in their system," Governor Adrian Orr said.

"In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning."

The breach took place on 16 December, but the Reserve Bank was not immediately notified of the risks by Accellion and did not respond to the breach until after 6 January.

"Software updates to address the issue were released by the vendor in December 2020 soon after it discovered the vulnerability," the report says, however, it failed to advise the Reserve Bank about the data breach and the immediate steps required to address the risks.

KPMG's report recommended the central bank take a number of steps to improve its response to future attacks.

"The Bank accepts the findings and has, and will continue to, implement the recommendations," Orr said.

The Reserve Bank estimated that the final cost of the breach response, including internal resources, would be around $3.5 million, although all those costs were covered by the its baseline budgets.

Get the RNZ app

for ad-free news and current affairs