The Reserve Bank's use of a file sharing system hacked over the summer, was not limited to secure file transfers as intended thus placing more information at risk to attack than would have otherwise been the case, a KPMG report on the incident says.
The Reserve Bank has released a "public summary" of a KPMG "independent" review of its systems and processes commissioned earlier this year.
In February the Reserve Bank said personal information such as dates of birth, credit details and personal email addresses was stolen during the data breach in December, which lead to significant delays in the Reserve Bank's regular data releases.
Unauthorised access was obtained to a third-party developed file transfer system, Accellion File Transfer Application, used by the Reserve Bank in late 2020. KPMG says access was obtained by exploiting a previously unknown vulnerability in the application.
According to a public report commissioned by Accellion from cybersecurity forensics company FireEye, the vulnerability was first exploited by a cybercriminal group on 16 December 2020. Subsequently several additional attacks occurred at companies and government organisations worldwide. The attack targeted known users of the application, which was used by the Reserve Bank to share and store sensitive information. KPMG says some of that information is likely to have been obtained by an "external threat actor."
"Usage of the System by the [Reserve] Bank was not limited to secure file transfers as intended. Working practices evolved over time to the point where the System was also used as an information repository and collaboration tool, which was not in adherence with the Bank’s 2014 guidelines on acceptable use of the System. Adherence would have significantly reduced the volume of information at risk," KPMG says.
KPMG's focus is largely on the containment phase of the Reserve Bank's response to the attack up until January 9. The firm says detailed analysis of what data was breached, and the subsequent actions undertaken, happened after the period covered by its report, and was subject to work performed by other independent parties hired by the Reserve Bank.
The Reserve Bank’s response to the attack continued for some months beyond January 9, alongside domestic and international cyber security experts and other relevant authorities.
"The data breach was contained by the [Reserve] Bank and the required software update applied within 24 hours of being notified by the vendor on 6 January 2021," KPMG says.
The firm says while the direct cause of the incident, the zero-day vulnerability, couldn't have been predicted, several key contributing factors directly impacted the scale and impact of the data breach.
These included the fact that although software updates to address the issue were released by Accellion in December soon after it discovered the vulnerability, the email tool used by Accellion failed to send the email notifications, KPMG says. Consequently the Reserve Bank wasn't notified until January 6. The Reserve Bank deployed the software updates on January 7, and started investigating whether a breach had occurred.
"We have not sighted evidence that the vendor informed the [Reserve] Bank that the System vulnerability was being actively exploited at other customers. This information, if provided in a timely manner is highly likely to have significantly influenced key decisions that were being made by the Bank at the time. Having said this, the nature of the information provided in relation to the software update did indicate that the updates contained 'critical, time-sensitive security fixes' which drove the immediacy of the Bank’s response," KPMG says.
It also says there were initial alerts of potential malicious activity on the System in December that would have helped provide early detection had they been identified and/or followed up by the Reserve Bank’s support staff.
"These alerts were default alerts enabled within the System since 2015. There were also some key controls and working practices that were within the Bank’s control that were not implemented, and/or existing controls that were ineffective which also directly impacted the scale and impact of the data breach," KPMG says.
These include that the System hadn't undergone a certification and accreditation (C&A) process to understand and ensure that any key risks were identified and managed.
"The C&A process typically includes a systems risk assessment and controls audit and would also document the classification of the information that is stored on the system along with the high-level security requirements and information protection priorities. This could have highlighted the risks with the Bank’s usage of the System."
RBNZ implementing KPMG's recommendations
Governor Adrian Orr says the Reserve Bank accepts KPMG's findings and is implementing its recommendations.
“As signalled in our Statements of Intent, we are well advanced on multiyear investment initiatives related to our digital systems and data management. We have prioritised these initiatives consistent with the recommendations outlined in the reports,” Orr says.
“While we were the victim of a widespread illegal attack on the file sharing system, the Reserve Bank takes full responsibility for our shortfalls identified in the KPMG report,” says Orr.
“We were over reliant on Accellion – the supplier of the file transfer application – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning."
“I am disappointed about the incident and the impact it has had on people, including our own team. I am confident, however, that we have responded with urgency, precision, and care," Orr says.
“I also again extend my apologies to all individuals and institutions that were affected by this illegal breach. I especially thank the Office of the Privacy Commissioner who have worked closely with us throughout the incident.”
The Reserve Bank won't name the individuals or institutions who were affected. And nor will it say what data was breached.
"The Reserve Bank recognises the public interest in the incident and our response, but for security reasons we are unable to provide specific details on some parts of the data breach and our response. This includes details of those affected by the breach," a Reserve Bank spokesman told interest.co.nz.
"We worked with a range of public authorities and experts in responding to the breach, but we will not be releasing technical analysis of the data breached or guidance received as part of our response."
KPMG's recommendations are detailed below.
Key recommendations 1.0
Consider conducting more frequent incident simulations to ensure key Bank staff and their delegates are familiar with all of the requirements of the Major Incident Response Plan, and adhere to the key requirements (or document the rationale for any deviations) such as maintaining a complete and accurate incident timeline. Update the detailed incident log accordingly.
Key recommendations 2.0
Review ongoing security training requirements for staff supporting critical systems based on the nature and type information stored and processed and the key users of the system or information.
Review monitoring and alerting protocols for all key security and operational alerts to ensure there is appropriate escalation and a peer review/QA process to help ensure key incident information is not missed and the incident actions register is updated.
Improve the continuous monitoring of the control environment for vulnerabilities, potential threats, and attacks by formalising a program of audits, risk assessments and user awareness of policies and procedures.
Create a Digital Services On-Call & Overtime policy that aligns with the Bank’s current requirements and clarifies staff roles and responsibilities.
Key recommendations 3.0
Formalise the security strategy and roadmap and PSR/NZISM compliance architecture that is aligned with the Bank’s risks and is endorsed by the SLT and the Board.
Formalise the risk management process for C&A requirements and end of life platform exemptions and risk acceptance.
Develop, enforce and monitor acceptable use guidelines and minimum security standards for all critical applications.
Integrate the cyber and enterprise risk management frameworks to ensure consistent risk treatment and/or reduce gaps in risk identification.
Develop baseline standards for vendor communication protocols including requirements for maintaining/updating contact lists and agreed escalation protocols. These should form part of all vendor agreements.
Develop a policy/guidance for users to cover situations where an external party may mandate its own file sharing tools/protocols that may conflict with Bank policies.
Key recommendations 4.0
Develop a formal enterprise framework for data/information management that includes a formally approved enterprise wide classification standard.
Establish clear policies and guidelines for the security of data in unstructured storage.
Create a formal framework for vendor and asset management
Define Platform and Information owner roles and responsibilities for support/on call and training/certification requirements.
Develop a framework for third party risk Management that assesses the risk associated with all critical providers and defines controls that have been implemented.