Our response to the data breach
This page describes how we responded to the data breach of a standalone third-party system.
In January 2021, we reported a data breach of a third-party file sharing software application – Accellion FTA – that we used to share and store information. Following this malicious attack, the software application was secured and closed.
As part of the investigation into the breach the Bank appointed KPMG to undertake an independent review of its systems and processes.
The KPMG review, and report by Deloitte into two separate incidents involving sensitive information handling, have been completed.
Our focus is now on addressing the recommendations outlined in the reports and continuing to support stakeholders affected by the breach.
KPMG Review and Deloitte Report
KPMG undertook an independent review of the Reserve Bank’s systems and processes.
- KPMG Data Breach Incident Assessment – summary report
- Media release – Reserve Bank taking action to respond to data breach reports
- KPMG Review Terms of Reference
In late 2020, the Bank engaged Deloitte to undertake an independent investigation to help improve our handling of sensitive information. This followed two incidents where sensitive information was incorrectly stored in a draft internal report, and information accidentally was disclosed to a small group of financial services firms a short time before it was made public. Initiatives are also underway to address the recommendations in this report.
Support for individuals impacted by the data breach
Support is available to any individuals impacted by the data breach. The Bank has engaged a specialist national identity and cyber support service IDCARE, to provide advice and assistance to people affected by the breach.
We also continue to consult with the Office of the Privacy Commissioner in relation to our response.
We also recommend that people remain vigilant and monitor accounts, and do not respond to unsolicited requests to provide information, including clicking on links and attachments. If in doubt, we encourage people to make their own enquiries about the legitimacy of any unsolicited requests, and make contact only through official and publicly reported communication channels.
We have notified the Office of the Privacy Commissioner of the data breach, and consulted with the Office in relation to our response and engaging with impacted individuals.
You may contact our Privacy Officer if you have privacy concerns. Please email [email protected], or mail to
The Privacy Officer
Reserve Bank of New Zealand
PO Box 2498
You have the right to complain to the Office of the Privacy Commissioner if you are not satisfied with our response. Please phone 0800 803 909 (Monday to Friday, 10:00am to 3:00pm), access its website at www.privacy.org.nz, or mail to PO Box 10094, Wellington 6143.
Frequently asked questions
What was accessed?
Accellion FTA was used to share and store information. A detailed forensic cyber investigation took place to determine and identify files that were illegally downloaded.
We have completed our analysis and provided details of our assessments to affected stakeholders. For security reasons we can’t provide specific details about the number of files downloaded or the information they contain.
How many organisations were affected?
For security reasons we can’t provide specific details. We have completed our assessment of the files illegally downloaded during the breach. We have notified all the organisations, including individuals, whose files contained sensitive information, to support them and assist in managing the impact on their customers and staff.
While we do not expect any further change to our assessment, we will continue to monitor the dark web and advise if and when we do uncover more information.
The Bank has engaged a specialist national identity and cyber support service called IDCARE, to provide advice and support to both individuals and organisations affected by the breach.
What do you mean when you refer to files?
When the Bank refers to ‘files’ it is referring to individual submissions made by organisations to the FTA. File types vary and include Word documents, PDFs, .ZIP and other formats.
How has the Bank responded to this?
We responded quickly and with care. Accellion FTA is a standalone software application and it was secured and closed when we became aware of the breach.
While a malicious third party has committed the crime, we believe we have has fallen short of the standards our stakeholders expect of us and we set for ourselves. We apologise for this unreservedly.
The independent review by KPMG has been completed. Throughout our response to the breach we have been committed to being open and transparent and to keeping affected stakeholders informed.
What lessons have been learned, and improvements made?
While we were the victim of a widespread illegal attack on the file sharing system, the Reserve Bank takes full responsibility for the shortfalls identified in the KPMG report.
As outlined in the KPMG report, the FTA system wasn’t being used in an appropriate way by the Bank and certain controls and processes weren’t implemented or adhered to.
The Reserve Bank relied on the supplier of the file transfer system – Accellion to alert them to any vulnerabilities in the system and in this instance, the notifications did not reach the Reserve Bank. However there were also controls and practices within the Bank that could be improved and may have lessened the impact of the breach.
As signalled in our Statement of Intent and five year funding proposal, we had already identified critical areas for investment in our systems and these initiatives are well underway. We have also bought forward other initiatives to address the recommendations outlined in the KPMG and Deloitte reports.
How much was spent on responding to the breach?
The Bank estimates that the final cost of the breach response, including internal resources, will be around $3.5 million. This excludes process improvement initiatives that are likely to be taken as a result of the lessons learnt. All costs associated with the breach were covered under the Bank’s baseline budgets.
Key details of the costs include:
- 17,500 hours of internal Bank resources redirected to assist with the response.
- $1,800,000 spent on specialist external resources, these being individuals to supplement the Bank’s own staff on the stream activity or organisations delivering a defined piece of work. This work included:
- Cyber security services to investigate and provide an analysis of the files downloaded or potentially downloaded.
- An independent review that confirmed the analysis of the cyber security findings.
- Legal services to advise on privacy aspects.
- Helpdesk support for impacted stakeholders.
- Monitoring of the internet for any data obtained by the breach.
- Services related to physical facilities including the setup of a response room to allow co-location of the response team. Additional physical security was also required onsite.
Find out our latest responses and actions around this situation