12 Jan 2021

Reserve Bank warned of cyber vulnerability weeks before breach

1:01 pm on 12 January 2021

The Reserve Bank was warned about a critical problem in its file-sharing service weeks before a major breach, it has been revealed.

Reserve Bank governor Adrian Orr.

Reserve Bank governor Adrian Orr. Photo: RNZ / Dom Thomas

The central bank revealed on Sunday that a third-party service it uses to share and store sensitive information, known as Accellion, was illegally accessed.

Yesterday, the bank's Governor Adrian Orr confirmed it was not the target of a specific hack, rather its data was compromised when Accellion's File Transfer Appliance (FTA) software defences was breached.

He said the data that was accessed may include commercially and personally sensitive information but it was too early to be certain.

However, it has been revealed the Reserve Bank was made aware of an issue in its FTA software it uses from Accellion in mid-December.

A spokesperson for Accellion said it notified customers after it discovered a "P0" vulnerability in FTA.

P0 is a triage term used by the technology sector to identify the most serious issues.

"Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected."

The RBNZ has been asked to confirm when it downloaded the patch.

Accellion provided no further detail about the nature of the breach, who was behind it or what data was accessed.

It did, however, refer to FTA as a "legacy product" and encouraged its customers to update to Kiteworks, which is the technology company's premier file transfer product.

Accellion said Kiteworks provided the highest level of security.

Get the RNZ app

for ad-free news and current affairs