The governor of New Zealand’s central bank has raised questions about the organisation’s vulnerability, following a cyber attack it described as “significant”.
Last week, the Reserve Bank of New Zealand (Te Pūtea Matua) was hit by a breach of a third-party file-sharing system used to share and store information.
Although the breach came via a technology supplier’s software – Accellion’s File Transfer Application – the central bank’s governor, Adrian Orr, said the bank had fallen short in protecting stakeholders. “There are serious questions that need to be answered about how this incident occurred and how to strengthen our systems and processes,” he said.
The central bank has appointed an independent company to undertake a comprehensive review of how it happened. “We will be as transparent and clear as possible as this progresses, and will release the review’s terms of reference shortly,” said Orr.
The bank said it was working with organisations that might have experienced data breaches as a result of the attack. “As our investigations progress, we are prioritising direct engagement with institutions and individuals affected,” added Orr.
In its latest update, the bank said: “We are working closely with international and domestic cyber security experts and other relevant authorities as part of our investigation and response. The nature and extent of information that has been illegally downloaded is still being determined, but it may include some commercially and personally sensitive information.”
It added that its core functions remained “unaffected, sound and operational”.
Adrian Orr, Reserve Bank of New Zealand
New Zealand’s financial sector was shaken recently by a major attack on its stock exchange, which was hit by an unprecedented volumetric distributed denial of service (DDoS) attack in August 2020. That attack was another example of cyber attackers breaching security through a third-party supplier’s service.
Like central banks, stock exchanges are vital to a functioning economy, and even a short outage can cause economic havoc.
New Zealand’s National Cyber Security Centre (NCSC) published a report in November 2020 that said the country’s “nationally significant organisations continue to be the target of frequent cyber attacks from a range of malicious actors”.
The report said that from July 2019 to the end of June 2020, the NCSC recorded 352 cyber security incidents at nationally significant organisations, compared with 339 incidents in the previous 12 months. It added that 30% were linked to state-sponsored actors.
The NCSC pointed out that the number of incidents recorded was a small proportion of the total incidents affecting New Zealand and its citizens. “This is because of our focus on providing support for nationally significant organisations and response to potentially high-impact cyber security events,” it said.
According to an independent study from Ponemon Institute, commissioned by password management specialist Keeper Security, in the UK, 70% of the UK finance industry suffered a cyber attack in 2020. Over half (57%) of the financial organisations questioned believe attacks have become more severe.
The study also revealed that financial services bosses believe the introduction of remote working as a result of the Covid-19 pandemic is putting their organisation at greater risk of cyber attack.