Getty Images

New Zealand central bank IT system breached in cyber attack

Bank is responding to a cyber attack after hackers breached the system of a third-party supplier

New Zealand’s central bank is working with cyber security experts to help it understand the impact of a breach of a third-party file-sharing system used to share and store information.

The Reserve Bank of New Zealand (Te Pūtea Matua) said it had been told the attack was not specifically aimed at it, and other users of the file-sharing system from Accellion, known as File Transfer Application, were also compromised.

The bank, alongside cyber security experts, is working to establish “the nature and extent of information that has been potentially accessed” and said the compromised data “may include” commercially and personally sensitive information.

Adrian Orr, governor of the Reserve Bank of New Zealand, said the breach is contained and the bank is currently working to ascertain what information has been affected.

“We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation,” Orr said in a statement. “This includes the Government Communications Security Bureau’s National Cyber Security Centre [NCSC], which has been notified and is providing guidance and advice.

No further details of the attack were available. “We recognise the public interest in this incident,” Orr added. “However, we are not in a position to provide further details at this time.”

Part of the reason for not revealing more details is to avoid adversely affect the investigation and the steps being taken to mitigate the breach, said the bank.

The bank said its main functions are unaffected and it remains open for business. “Our core functions and New Zealand’s financial system remain sound, and Te Pūtea Matua is open for business,” said Orr. “This includes our markets operations and management of the cash and payments systems.”

Read more about cyber attacks

The system has been secured and taken offline while investigations are under way and the bank is communicating with system users about alternative ways to share data securely. “It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed,” it said.

New Zealand’s financial sector was shaken recently by a major attack on the country’s stock exchange, which was hit by an unprecedented volumetric distributed denial of service (DDoS) attack last August. That attack was another example of cyber attackers breaching through a third-party supplier’s service. 

Like central banks, stock exchanges are vital to a functioning economy, and even a short outage can cause economic havoc.

New Zealand’s NCSC published a report in November that said the country’s “nationally significant organisations continue to be the target of frequent cyber attacks from a range of malicious actors”.

The report said that from July 2019 to the end of June 2020, the NCSC recorded 352 cyber security incidents at nationally significant organisations, compared with 339 incidents in the previous 12 months. It added that 30% were linked to state-sponsored actors.

The NCSC pointed out that the number of incidents recorded was a small proportion of the total incidents affecting New Zealand and New Zealanders. “This is because of our focus on providing support for nationally significant organisations and response to potentially high-impact cyber security events,” it said.

Read more on IT for financial services