The Reserve Bank (RBNZ) won’t collect data it routinely gathers from the financial institutions it regulates until next month, following a major data breach.
The attack, which the RBNZ alerted the public to on January 10, targeted the file-sharing software it used. This was provided by a third-party - Accellion.
The RBNZ says it will only resume collecting data from the likes of banks and non-bank deposit-takers when it implements a new secure file transfer system.
Consequently, the publication of most of the RBNZ’s statistical releases will be postponed by three to four weeks.
The halt in information gathering and publication comes as the Government considers ways of cooling housing demand - potentially by requiring the RBNZ to give greater consideration to house prices through the way it regulates banks.
The Government is mulling whether to enable the RBNZ to prevent banks from lending to property buyers seeking to take out a lot of debt versus their incomes.
The data hold-up also comes as the RBNZ consults on its proposal to, in March, reintroduce the same loan-to-value ratio (LVR) restrictions that were in place before it removed them last year.
And, it comes ahead of the RBNZ releasing its quarterly Monetary Policy Statement on February 24.
The Monetary Policy Committee will be interested in seeing how its stimulus is flowing through the banking system. IE the extent to which it continues to be property buyers, not businesses, making the most of low interest rates by borrowing up a storm.
At this stage, statistics affected include:
- Bank customer lending (C65 & C66): delayed from 12 January
- Credit card balances and spending (C12 & C13): delayed from 26 January
- New mortgage commitments - Loan to Valuation Ratios (C30-C35): delayed from 29 January
- Bank Balance Sheet (C5, C50-52, S10-41): delayed from 29 January
- Non-bank Lending Institutions (T1, T4, T11, T21, T31): delayed from 29 January
- Bank Liquidity (L1-3): delayed from 5 February
- Retail interest rates (B3, B6, B20, B21, B25-27): delayed from 5 February
The RBNZ said: “We expect other publications scheduled for February and March to also be affected, including the December 2020 quarter Bank Financial Strength Dashboard (scheduled for release on 3 March).”
Unaffected statistical releases include:
- Exchanges rates and TWI (B1)
- Wholesale interest rates (B2)
- Debt securities (D9-35)
- Reserve Bank (D3-12; F3-5; R1-3)
- Household inflation expectations (M13)
- Survey of business expectations (M14)
The RBNZ said: “It is important to note that no data has been lost and no publications will be cancelled. We have advised our data suppliers to prepare survey returns as normal.”
Compromised files identified
RBNZ Governor Adrian Orr gave the following update on the data breach: “With the assistance of New Zealand and international police, and forensic security specialists, the cause of the breach is now understood and resolved. The system is closed.
“Significantly, we have a good understanding of the scope of the breach.
“Based on the results of our investigation and analysis to date we have been able to tell stakeholders which of their files on the File Transfer Application (FTA) were downloaded illegally during the breach.
“This prioritised analysis is continuing and we are supporting stakeholders to manage risks and respond appropriately.
“We are also keeping the Office of the Privacy Commissioner regularly informed and we’re taking its guidance.
“The Bank’s core functions are unaffected, sound and operational.
“I’m pleased with the way the Bank has stepped up in responding to this breach, and I’m thankful for the support of our public and private sector partners, but I am disappointed and sorry this data theft has occurred.
“There are some serious questions that have been answered by the team at the Bank and there are more for the supplier of the system that was breached. That is the subject of an independent review by KPMG that is now underway.
“I will provide an update on the review process next week.”