Welcome to our new website.
Please note our navigation has changed, so any bookmarks that you have to pages on our site will need to be updated. Subscribers won’t be affected. If you have any queries or issues please contact [email protected]
Our response to the data breach
This page describes how we responded to the data breach of a standalone third-party system in January 2021.
In January 2021, we reported a data breach of a third-party file sharing software application–Accellion FTA–that we used to share and store information. Following this malicious attack, the software application was secured and closed.
As part of the investigation into the breach we appointed KPMG to undertake an independent review of our systems and processes. The KPMG review, and report by Deloitte into two separate incidents involving sensitive information handling, are completed.
Our current focus is on addressing the reports' recommendations and continuing to support stakeholders affected by the breach.
KPMG review and Deloitte report
KPMG undertook an independent review of our systems and processes.
In late 2020, we engaged Deloitte to undertake an independent investigation to help improve our handling of sensitive information. This followed two incidents where sensitive information was incorrectly stored in a draft internal report, and information accidentally was disclosed to a small group of financial services firms a short time before it was made public.
Initiatives are also underway to address the recommendations in this report.
Support for individuals impacted by the data breach
Support is available to any individuals impacted by the data breach. We have engaged a specialist national identity and cyber support service, IDCARE, to provide advice and assistance to people affected by the breach.
We also continue to consult with the Office of the Privacy Commissioner in relation to our response.
We also recommend that people remain vigilant and monitor accounts, and do not respond to unsolicited requests to provide information, including clicking on links and attachments. If in doubt, we encourage people to make their own enquiries about the legitimacy of any unsolicited requests, and make contact only through official and publicly reported communication channels.
We have notified the Office of the Privacy Commissioner of the data breach, and consulted with the Office in relation to our response and engaging with impacted individuals.
Contacting the Officer of the Privacy Commissioner
You may contact our Privacy Officer if you have privacy concerns. Please email [email protected], or mail to:
The Privacy Officer
Reserve Bank of New Zealand
PO Box 2498
You have the right to complain to the Office of the Privacy Commissioner if you are not satisfied with our response. Please phone 0800 803 909 (Monday to Friday, 10am to 3pm), access its website at www.privacy.org.nz, or mail to PO Box 10094, Wellington 6143.
What data and information was accessed
Accellion FTA was used to share and store information. A detailed forensic cyber investigation took place to determine and identify files that were illegally downloaded.
When we refer to ‘files’, we are referring to individual submissions made by organisations to the FTA. File types vary and include Word documents, pdfs, zip and other formats.
We have completed our analysis and provided details of our assessments to affected stakeholders. For security reasons we cannot provide specific details about the number of files downloaded or the information they contain.
About the organisations affected
For security reasons we cannot provide specific details of the organisations affected by the data breach.
We completed our assessment of the files illegally downloaded during the breach. We notified all the organisations, including individuals, whose files contained sensitive information, to support them and help them manage the impact on their customers and staff.
While we do not expect any further change to our assessment, we will continue to monitor the dark web and advise if and when we do uncover more information.
We engaged a specialist national identity and cyber support service called IDCARE, to provide advice and support to both individuals and organisations affected by the breach.
How we responded to the breach
We responded quickly to secure and close Accellion FTA, the standalone software application, as soon as we became aware of the breach.
While a malicious third party committed the crime, we believe we fell short of the standards our stakeholders expect of us and we set for ourselves. We apologised for this unreservedly.
The independent review by KPMG has been completed. Throughout our response to the breach, we were committed to being open and transparent and keeping affected stakeholders informed.
Lessons learned and what we have improved
While we were the victim of a widespread illegal attack on the file-sharing system, we take full responsibility for the shortfalls identified in the KPMG report.
As outlined in the KPMG report, we were not using the FTA system in an appropriate way and did not implement or adhere to certain controls and processes.
We relied on the supplier of the file transfer system, Accellion, to alert us to any vulnerabilities in the system and, in this instance, the notifications did not reach us. However, we also had internal controls and practices that we could have improved and that may have lessened the impact of the breach.
As signalled in our Statement of Intent and five-year funding proposal, we had already identified critical areas for investment in our systems and these initiatives are well underway. We have also bought forward other initiatives to address the recommendations outlined in the KPMG and Deloitte reports.
How much the breach cost
We estimate the final cost of the breach response, including internal resources, will be around $3.5 million. This excludes any process improvement initiatives we are likely to take as a result of the lessons learnt. All costs associated with the breach were covered under our baseline budgets.
The main details of the costs include:
- 17,500 hours of internal resources redirected to help with the response
- $1,800,000 spent on specialist external resources, these being individuals to supplement our staff on the stream activity or organisations delivering a defined piece of work which included:
- cyber security services to investigate and provide an analysis of the files downloaded or potentially downloaded
- an independent review that confirmed the analysis of the cyber security findings
- legal services to advise on privacy aspects
- helpdesk support for impacted stakeholders
- monitoring of the internet for any data obtained by the breach.
- services related to physical facilities including the set up of a response room to allow co-location of the response team. Additional physical security was also required onsite.
Our latest responses and actions around this situation:
Receive these news updates in your inbox
You can subscribe or update your subscription to our email updates to include FTA data breach updates.
For enquiries email us at [email protected]
Send media enquiries to [email protected]