sign uplog in
Want to go ad-free? Find out how, here.

The Reserve Banks says it is working directly with stakeholders to determine how many people have been impacted by the December data breach 'and will ensure they are well supported'

The Reserve Banks says it is working directly with stakeholders to determine how many people have been impacted by the December data breach 'and will ensure they are well supported'

Very personal information such as dates of birth, credit details and personal email addresses was stolen during the data breach in December that has affected the Reserve Bank. The RBNZ's still working out at this point exactly how many people are affected.

The RBNZ says on its designated data breach website page that it has completed its assessment of the files illegally downloaded on December 25 during the breach and "are notifying the organisations whose files contained sensitive information to support them and assist in managing the impact on their customers and staff".

"Some files contained lists of information such as personal email addresses, dates of birth, or credit information. We are working directly with stakeholders to determine how many people are impacted and will ensure they are well supported."

For security reasons, the RBNZ says, it we can’t provide specific details about the number of files downloaded or the information they contain.

The RBNZ says files involved were individual submissions made by organisations to the FTA. File types vary and include Word documents, PDFs, .ZIP and other formats.

The data breach has led to a substantial delay in the RBNZ publicly reporting regular information, such as monthly mortgage advances and other credit information, that it collects from the banks. Earlier the RBNZ had confirmed that the system breached was the one used by the the country's banks use to share information the RBNZ collects as part of its regulatory duties.

On January 10 the RBNZ reported a data breach of the third-party file sharing software application – Accellion FTA – that it had been using to share and store sensitive information. Following the malicious attack, the software application was secured and closed.

The RBNZ says support is available to any individuals impacted by the data breach. The Bank has engaged a specialist national identity and cyber support service IDCARE, to provide advice and assistance to people affected by the breach. It also continue to consult with the Office of the Privacy Commissioner.

KPMG has been appointed to undertake an independent review of the RBNZ's systems and processes. 

The RBNZ has said that in mid-December, Accellion FTA users in other countries started being attacked. Accellion released a patch to address the vulnerability on 20 December 2020, but according to the RBNZ "failed to notify the Bank a patch was available".

"The breach against the Bank occurred on 25 December 2020 and a number of files were illegally downloaded from the FTA. There was a period of five days from the patch on 20 December until 25 December when the breach occurred, during which the Bank would have applied the patch if it had been notified it was available. In early January, the Reserve Bank patched and secured the Accellion FTA, became aware of the breach, and closed the system.

Accellion has issued statements on the matter.

The RBNZ says a forensic cyber investigation and the independent review of the Bank’s systems and processes "will determine exactly what happened and the timing".

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.


I'm starting a company that is contracted by the government to fix f*ckups. Booming industry.

That's what contractors and consultants are for. Best/worst thing is once it's fixed, by the next govt term, it's f'ed up again. A never ending money go round.

KPMG has been appointed to undertake an independent review of the RBNZ's systems and processes.


They have been building a cyber sec shop for several years.

Bit late for that isn't it? The horse has long bolted now.

Slap enterprise on the label and the idiot managers will pay $1m for anything. No one gets fired for hiring the big boys, in spite of their shocking record with behemoth one size fits all solutions. Finding good people to deliver targeted fit for purpose solutions is hard. Especially when no one in the team has a record of successful delivery. Crappy people, hire crappy people, and unsurprisingly deliver crappy products.

Would the RNZ keep records on the over leveraged or the under leveraged. Obvious really. Who would want this data. Speculation... but foreign national wanting data on who to target in case if interest rate rise or asset reset would be my pick.

Does that make sense? It's one of the fundemental principles of data security that information that leaves an organisation is anonymised. The Reserve Bank shouldn't actually have any personalised data to lose, should it? The more that is revealed the less I understand this disaster.

How convenient.

So the reserve bank has personal details of citizens for what reason? Collateral?

What's the bet RBNZ will continue to use Accelion. I'd be interested to know what Operating System Accelion use on their servers for the particular piece of software that was breached.
As pointed out by Squishy, what the hell do RBNZ need an individuals data for? They're not a retail bank. I think all they would need is agglomerated data in a designated group or type and anonymised by the retail bank.

Imagine if it's details on every person in New Zealand who has taken out a mortgage? Like some centralized database of all the major banks (that are not NBDT's) as part of regulatory oversight/auditing purposes?

Maybe that's why it's taking so long? Shouldn't take too long to notify the organisations, but assisting them in managing the fallout could be a different beast all together.