Batman: Not mega?

It's Accellion.

Was just on 3News.

Accellion
Prevent breaches and compliance violations with total visibility and control over IP, PII, PHI and all sensitive content exchanged with third parties.

andrewNZ:

Accellion
Prevent breaches and compliance violations with total visibility and control over IP, PII, PHI and all sensitive content exchanged with third parties.

Hmmm...

to me when someone claims something that's usually the opposite

- budget insert service = not cheap

- supercheap insert product = not cheap

- wire that never breaks = will break

- vacuum that sucks up bowling ball = will not

- we're not for profit, we're for you = we're not

etc

sorry i've walked the planet too long

Ubiquiti similarly affected.

Accellion were notified and patched it. I don't think it's clear yet if Accellion notified users (but good grief you'd hope so!) - RBNZ statement says other users were also compromised..!

So presumably the patch wasn't applied. Unless this actually happened before the patch?

Source: https://www.newshub.co.nz/home/money/2021/01/reserve-bank-warned-about-major-security-problem-before-breach-third-party-claims.html 

Press release issued today:

 

The Governor of the Reserve Bank of New Zealand, Adrian Orr, says the recent malicious and illegal breach of a file sharing application used by the Bank is significant, and has our full attention.

 

Mr Orr says New Zealand’s financial system and institutions remain sound, and Te Pūtea Matua is open for business. The standalone File Transfer Application system that was breached has been secured and closed.

 

“We apologise unreservedly to all of those impacted by the breach. Personally, I own this issue and I am disappointed and sorry,” Mr Orr says.

 

“Our investigation makes it clear we are dealing with a significant data breach. While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement, the Bank has also fallen short of the standards expected by our stakeholders.”

 

A detailed forensic cyber investigation is underway and the Bank is working directly with affected stakeholders whose information may have been breached.

 

“We recognise the public interest in this incident and we acknowledge there are serious questions that need to be answered about how this incident occurred and how to strengthen our systems and processes,” says Mr Orr.

 

“In addition to the forensic cyber investigation currently underway, we have appointed an independent third party to undertake a comprehensive general review of this incident. We will be as transparent and clear as possible as this progresses, and will release the review’s terms of reference shortly.”

 

“Our immediate focus is on working directly with system users and those who may have had their information compromised. It is a complex process and accuracy and security are important. As our investigations progress, we are prioritising direct engagement with institutions and individuals affected. We thank stakeholders for their patience and understanding.

 

“Be assured, we are taking action. We are working closely with public authorities and utilising international experts as we respond. We are doing so in a whole of Government framework, utilising the National Security System.”

 

“We are not in a position to provide further details on the investigation at this time as it could adversely affect the investigation and the steps being taken to mitigate the breach,” says Mr Orr.

 

Ongoing updates on the investigation process will be provided via the Reserve Bank Data Breach Response page, and email service.

 

From Privacy Commission:

 

The Privacy Commissioner has today issued a compliance notice to the Reserve Bank of New Zealand, triggered by a cyber-attack in December 2020. 
 
This is the first time the Privacy Commissioner has issued a compliance notice since receiving these new powers in the Privacy Act 2020. 

 

Privacy Commissioner John Edwards says, “The cyber-attack was a significant breach of one of the Bank’s security systems and raised the possibility of systemic weakness in the Bank’s systems and processes for protecting personal information.”

 

As part of the investigation into the breach the Bank engaged KPMG to undertake an independent review of its systems and processes. The review revealed multiple areas of non-compliance with Privacy Principle 5.

 

Mr Edwards says, “We are heartened by the speed and thoroughness of the Bank’s response. We were notified as soon as the cyber-attack was identified, and they have been constructive and open throughout the compliance investigation process. We are pleased to see the positive way they’ve dealt with the aftermath of the attack.” 

 

The compliance notice issued today provides a template for the Bank to report on to the Privacy Commissioner, confirming the improvements to their policies and procedures aimed to make the systems more secure. 

 

Reserve Bank Governor Adrian Orr says, “OPC’s findings are consistent with the findings and recommendations in the KPMG review. We accept these findings and take full responsibility for the shortfalls identified in our systems and processes.”

 

“We have a detailed programme of work underway to address these. This work started shortly after the data breach incident through our business services improvement programme (BSIP) which continues to be a key priority for us here at Te Pūtea Matua.

 

I would like to again thank the OPC for their support throughout this incident and the collaborative approach they have taken during their investigation.”

 

Mr Edwards says, “Our role as a regulator is to deliver better privacy outcomes for all New Zealanders, using the powers at our disposal. Where we identify issues that compromise the security of personal information, we will use our compliance powers to make sure that these risks are addressed. This compliance notice also provides a learning opportunity for the Bank, and for other agencies. We appreciate the maturity and openness the Bank have shown throughout this process, and hope that others, too, can learn from this situation.”

 

Mr Edwards says that the Privacy Act allows for the publication of compliance notices on a case-by-case basis if the Commissioner believes it is desirable to do so in the public interest.  

 

“Publishing the full details of the compliance notice might compromise some of the ongoing efforts to fully rectify the matters that have been identified. However, I have decided it is necessary to publicly acknowledge the steps being taken by the Bank, to provide assurance to the public that these issues are being addressed.”