NZ Reserve Bank Issues Update on Accellion BreachBank Identifies Files That Were Removed
The Reserve Bank of New Zealand issued an update Monday on the data breach it sustained in December 2020, saying it has identified the records that were compromised and offering a timeline of the incident (see: NZ Reserve Bank Governor Says He 'Owns' Breach).
See Also: Case Study: The Road to Zero Trust
"We have completed our assessment of the files illegally downloaded during the breach and are notifying the organizations whose files contained sensitive information to support them and assist in managing the impact on their customers and staff," says Adrian Orr, the reserve bank's governor.
The Reserve Bank's investigation found that files removed from the bank's systems exposed data that included personal email addresses, dates of birth and credit information, Orr says.
The bank has brought in KPMG to conduct an additional independent review of its systems and processes. "Our core functions remain unaffected, sound and operational," Orr notes.
Accellion's FTA Breached
The bank reported in January that hackers had compromised Accellion's File Transfer Appliance, which the central bank used to securely share large data files with stakeholders.
The bank closed its connection to FTA when the breach was discovered, with Orr issuing an apology earlier this month for the bank falling short of the security standards its customers expect.
Accellion has issued an end-of-life warning for its FTA product effective April 30, and the company is now attempting to shift its customers over to its newer - and what it believes to be a more secure - Kiteworks platform.
Those Affected by FTA Vulnerability
Several Accellion FTA clients began reporting incidents starting in mid-December 2020, resulting in Accellion identifying several vulnerabilities and issuing a patch to fix the issue on Dec. 20. But Orr says Accellion never informed the bank the patch was available.
"There was a period of five days from the patch on 20 December until 25 December when the breach occurred, during which the bank would have applied the patch if it had been notified it was available," the bank reports in this week's update. The bank eventually applied the patch in early January.
The breach took place on Dec. 25 when files were downloaded from the FTA without authorization, the bank reports. For security reasons, the bank is not revealing the number of files or more specific details on the information they contained, Orr says. The exposed files - individual submissions made by organizations to the FTA - include Word documents, PDFs, zip files and those in other formats.
The bank says it will reveal additional details as the investigation continues.
Other victims of breaches tied to Accellion's FTA include Singapore telecom company Singtel, Australian medical research institute QIMR Berghofer, the Australian Securities and Investments Commission and the Washington state auditor in the U.S. (see: 2 More Breaches Tied to Accellion File Transfer Appliance).