sign uplog in
Want to go ad-free? Find out how, here.

Cyber attack prompts RBNZ to delay collecting and publishing bank data, key to policymakers addressing the housing crisis and ensuring the financial system is stable

Cyber attack prompts RBNZ to delay collecting and publishing bank data, key to policymakers addressing the housing crisis and ensuring the financial system is stable

The Reserve Bank (RBNZ) won’t collect data it routinely gathers from the financial institutions it regulates until next month, following a major data breach.

The attack, which the RBNZ alerted the public to on January 10, targeted the file-sharing software it used. This was provided by a third-party - Accellion.

The RBNZ says it will only resume collecting data from the likes of banks and non-bank deposit-takers when it implements a new secure file transfer system.

Consequently, the publication of most of the RBNZ’s statistical releases will be postponed by three to four weeks.

Bad timing 

The halt in information gathering and publication comes as the Government considers ways of cooling housing demand - potentially by requiring the RBNZ to give greater consideration to house prices through the way it regulates banks.

The Government is mulling whether to enable the RBNZ to prevent banks from lending to property buyers seeking to take out a lot of debt versus their incomes.

The data hold-up also comes as the RBNZ consults on its proposal to, in March, reintroduce the same loan-to-value ratio (LVR) restrictions that were in place before it removed them last year.  

And, it comes ahead of the RBNZ releasing its quarterly Monetary Policy Statement on February 24. 

The Monetary Policy Committee will be interested in seeing how its stimulus is flowing through the banking system. IE the extent to which it continues to be property buyers, not businesses, making the most of low interest rates by borrowing up a storm.

The details

At this stage, statistics affected include:

  • Bank customer lending (C65 & C66): delayed from 12 January
  • Credit card balances and spending (C12 & C13): delayed from 26 January
  • New mortgage commitments - Loan to Valuation Ratios (C30-C35): delayed from 29 January
  • Bank Balance Sheet (C5, C50-52, S10-41): delayed from 29 January
  • Non-bank Lending Institutions (T1, T4, T11, T21, T31): delayed from 29 January
  • Bank Liquidity (L1-3): delayed from 5 February
  • Retail interest rates (B3, B6, B20, B21, B25-27): delayed from 5 February

The RBNZ said: “We expect other publications scheduled for February and March to also be affected, including the December 2020 quarter Bank Financial Strength Dashboard (scheduled for release on 3 March).”

Unaffected statistical releases include:

  • Exchanges rates and TWI (B1)
  • Wholesale interest rates (B2)
  • Debt securities (D9-35)
  • Reserve Bank (D3-12; F3-5; R1-3)
  • Household inflation expectations (M13)
  • Survey of business expectations (M14)

The RBNZ said: “It is important to note that no data has been lost and no publications will be cancelled. We have advised our data suppliers to prepare survey returns as normal.”

Compromised files identified 

RBNZ Governor Adrian Orr gave the following update on the data breach: “With the assistance of New Zealand and international police, and forensic security specialists, the cause of the breach is now understood and resolved. The system is closed.

“Significantly, we have a good understanding of the scope of the breach.

“Based on the results of our investigation and analysis to date we have been able to tell stakeholders which of their files on the File Transfer Application (FTA) were downloaded illegally during the breach.

“This prioritised analysis is continuing and we are supporting stakeholders to manage risks and respond appropriately.

“We are also keeping the Office of the Privacy Commissioner regularly informed and we’re taking its guidance.

“The Bank’s core functions are unaffected, sound and operational.

“I’m pleased with the way the Bank has stepped up in responding to this breach, and I’m thankful for the support of our public and private sector partners, but I am disappointed and sorry this data theft has occurred.

“There are some serious questions that have been answered by the team at the Bank and there are more for the supplier of the system that was breached. That is the subject of an independent review by KPMG that is now underway.

“I will provide an update on the review process next week.”

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.


Given the Dashboard is down - they are best not to announce an OBR event.

Best time to do it. Can plead ignorance as no bank data available. Banks in the mean while can keep going on the lending spree as RBNZ doesn't have the data to reign them in.
That RBNZ can't come up with an interim solution to get the data is pathetic. They've had sufficient time.

Pretty sure banks have to take losses first guys. NPL are low unless they’ve been hiding them from the regulator like the Japanese in the 1990’s


How convenient.

Will probably be a scene in the NZ version of 'The Big Short.'

Wtf. That is all.

Red flag!

So, now they literally can't see the wood from the trees.


Wouldn't expect anything less from this mickey mouse country.


The fault lies squarely with the rbnz failing to upgrade to a secure version of their file software. You don't let your locks rust off a vault and then complain when a thief takes the contents. That's just negligence.

To double down and use negligence as an excuse to delay crucial reporting in a time of great economic uncertainty is synical at best.

Thanks for the link. That sort of thing is all too common unfortunately. Anyone remember the Equifax hack?

Wow. If they can't securely transfer files - what hope do the rest of us have doing that? Maybe we should shutdown this internet thing - sounds pretty hard and dangerous, certainly not something you want to be doing your everyday banking over.
Unexpected also, you just can't make this stuff up, always seems to be the worst possible time, just as they had exuberant resi-lending and the MPS to consider.
That being said, I'm confident there are reasons that we need this central bank .

I certainly hope that RBNZs consultation paper titled "Risk management guidance on cyber resilience and views on information gathering and sharing" due on the 29th of January won't be delayed by this. Guys, it sounds like they really need our advice!

These are the same clowns who think they know what they are doing blowing one of the worst real estate bubbles in the world.

People in charge of the RBNZ need to be fired, they certainly would if they were working in private enterprise. How can we do that?

They cannot be fired remember? The government says they are fully independent, so they answer to nobody. Not the public, not the finance minister, not the government.

Of course, that's not what the RBNZ Act says, the gubbmint just declares that is so because it allows them to not look responsible for the damage they cause.

In March 2020 just when the housing market seemed to weaken, RBNZ acted immediately to pre-empt it. But, now with house prices actually spiking, the same urgency seems to have dissipated. We also have the Min of Finance having the luxury of thinking about it "over summer".

Does RBNZ really neef data to gauge the housing msrket

No one is interested in the housing ponzi to stop be it government, RBNZ or any experts and do find excuse to not taking any action or if forced comes with announcement that will look into afte 6 months or 3 months... deflacting as no intent to take action.

An inside job? Or just a Market Maker looking for an edge in the Housing Market information arena for speculators?

I doubt RBNZ's cyber-outage will have any impact on the housing market.....


It will do a whole lot of nothing to the housing market, that's the point :-)

You can Enter Your E-mail Addressed at Have I Been Pawned:

It will tell you IF and how many times your email address has been sold and/or leaked-in-data-breaches. The site references your details against known/commonly available lists of hacked/pawn details.

Am I the only one starting to feel this smells off?

The gold veneer is quickly sloughing off this turd of a government.

How hard would it be for the banks to put the data on a physical hard drive or memory stick and simply walk it down to the RBNZ?

Such a fishy story.