Our response to Data Breach
This page describes how we are responding to a data breach of a standalone third-party system that we use.
In January 2021, we reported a data breach of a third-party file sharing software application – Accellion FTA – that we use to share and store sensitive information. Following this malicious attack, the software application was secured and closed.
We are working closely with international and domestic cyber security experts and other relevant authorities as part of our investigation and response.
We have completed our assessment of the files illegally downloaded during the breach and have notified all the organisations whose files contained sensitive information to support them and assist in managing the impact on their customers and staff.
Some files contained lists of information such as personal email addresses, dates of birth, or credit information. We worked directly with stakeholders to determine how many people were impacted and continue to ensure they are well supported. Our focus remains on supporting stakeholders affected by the breach to ensure they are well supported.
Our core functions remain unaffected, sound, and operational.
RBNZ Governor Adrian Orr responds to the illegal breach
Support for individuals impacted by the Breach
Support is available to any individuals impacted by the data breach. The Bank has engaged a specialist national identity and cyber support service IDCARE, to provide advice and assistance to people affected by the breach.
We also continue to consult with the Office of the Privacy Commissioner in relation to our response.
We also recommend that people remain vigilant and monitor accounts, and do not respond to unsolicited requests to provide information, including clicking on links and attachments. If in doubt, we encourage people to make their own enquiries about the legitimacy of any unsolicited requests, and make contact only through official and publicly reported communication channels.
We have notified the Office of the Privacy Commissioner of the data breach, and consulted with the Office in relation to our response and engaging with impacted individuals.
You may contact our Privacy Officer if you have privacy concerns. Please email [email protected], or mail to
The Privacy Officer
Reserve Bank of New Zealand
PO Box 2498
You have the right to complain to the Office of the Privacy Commissioner if you are not satisfied with our response. Please phone 0800 803 909 (Monday to Friday, 10:00am to 3:00pm), access its website at www.privacy.org.nz, or mail to PO Box 10094, Wellington 6143.
The Bank has appointed KPMG to undertake an independent review of its systems and processes. The Terms of Reference and more information about the review process can be found in this media release.
Frequently asked questions
Do you know how this happened?
A forensic cyber investigation and an independent review of the Bank’s systems and processes will determine exactly what happened and the timing.
- In mid-December, Accellion FTA users in other countries started being attacked.
- Accellion released a patch to address the vulnerability on 20 December 2020, but failed to notify the Bank a patch was available.
- The breach against the Bank occurred on 25 December 2020 and a number of files were illegally downloaded from the FTA.
- There was a period of five days from the patch on 20 December until 25 December when the breach occurred, during which the Bank would have applied the patch if it had been notified it was available.
- In early January, the Reserve Bank patched and secured the Accellion FTA, became aware of the breach, and closed the system.
- We are aware of shortcomings in the Bank’s processes and systems. The independent review by KPMG will examine the impact of these on the breach, as well as examining the sequence of events until the system was closed.
- Specific details about these events, actions and timing will be part of the review that is underway. The Terms of Reference are available below.
What was accessed?
We have completed our analysis of the files that were illegally downloaded and provided details of that assessment to affected stakeholders. For security reasons we can’t provide specific details about the number of files downloaded or the information they contain.
How many organisations were affected?
For security reasons we can’t provide specific details. We have been in regular communication with all organisations that have had files illegally downloaded.
How many individuals were affected?
We are working directly with the relevant organisations to determine how many people had personal information compromised. We will continue to ensure these people are well supported.
What do you mean when you refer to files?
When the Bank refers to files it is referring to individual submissions made by organisations to the FTA. File types vary and include Word documents, PDFs, .ZIP and other formats.
How has the Bank responded to this?
This issue has our full attention. Accellion FTA is a standalone software application and it was secured and closed when the Bank became aware of the breach.
The Bank is supporting stakeholders to help them manage risks and take appropriate action. We have also engaged IDCARE – a specialist national and cyber support service – to provide advice and support to those affected at no cost to them.
While a malicious third party has committed the crime, we believe the Bank has fallen short of the standards our stakeholders set for us and we apologise for this unreservedly.
In addition to the forensic cyber investigation currently underway, the Bank has appointed KPMG to undertake a comprehensive independent review.
Has this impacted the Bank’s ability to operate?
The Bank’s core functions and New Zealand’s financial system remain sound. The Bank is open for business, including market operations and management of the cash and payments system.
We advised on Friday 22 January that the RBNZ would be postponing publication of most statistical releases while we work through our response to the illegal breach of the third party Accellion FTA application.
We have now started updating our release calendar and reinstating selected releases in stages.
When will more information be made public?
The Bank will provide more information regarding this incident as and when it is appropriate to do so, being mindful not to undermine the KPMG review and criminal and forensic investigations currently underway.
Find out our latest responses and actions around this situation