Very personal information such as dates of birth, credit details and personal email addresses was stolen during the data breach in December that has affected the Reserve Bank. The RBNZ's still working out at this point exactly how many people are affected.
The RBNZ says on its designated data breach website page that it has completed its assessment of the files illegally downloaded on December 25 during the breach and "are notifying the organisations whose files contained sensitive information to support them and assist in managing the impact on their customers and staff".
"Some files contained lists of information such as personal email addresses, dates of birth, or credit information. We are working directly with stakeholders to determine how many people are impacted and will ensure they are well supported."
For security reasons, the RBNZ says, it we can’t provide specific details about the number of files downloaded or the information they contain.
The RBNZ says files involved were individual submissions made by organisations to the FTA. File types vary and include Word documents, PDFs, .ZIP and other formats.
The data breach has led to a substantial delay in the RBNZ publicly reporting regular information, such as monthly mortgage advances and other credit information, that it collects from the banks. Earlier the RBNZ had confirmed that the system breached was the one used by the the country's banks use to share information the RBNZ collects as part of its regulatory duties.
On January 10 the RBNZ reported a data breach of the third-party file sharing software application – Accellion FTA – that it had been using to share and store sensitive information. Following the malicious attack, the software application was secured and closed.
The RBNZ says support is available to any individuals impacted by the data breach. The Bank has engaged a specialist national identity and cyber support service IDCARE, to provide advice and assistance to people affected by the breach. It also continue to consult with the Office of the Privacy Commissioner.
KPMG has been appointed to undertake an independent review of the RBNZ's systems and processes.
The RBNZ has said that in mid-December, Accellion FTA users in other countries started being attacked. Accellion released a patch to address the vulnerability on 20 December 2020, but according to the RBNZ "failed to notify the Bank a patch was available".
"The breach against the Bank occurred on 25 December 2020 and a number of files were illegally downloaded from the FTA. There was a period of five days from the patch on 20 December until 25 December when the breach occurred, during which the Bank would have applied the patch if it had been notified it was available. In early January, the Reserve Bank patched and secured the Accellion FTA, became aware of the breach, and closed the system.
The RBNZ says a forensic cyber investigation and the independent review of the Bank’s systems and processes "will determine exactly what happened and the timing".