Accellion hack behind Reserve Bank of NZ data breach

The Reserve Bank of New Zealand, which yesterday disclosed it had suffered a data breach, now says it was caught up in a hack of enterprise data protection provider Accellion.

RBNZ governor Adrian Orr.

Accellion's file transfer appliance (FTA) was accessed illegally, RBNZ said in a statement.

“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised,” RBNZ governer Adrian Orr said.

The FTA system, which was used to store and share sensitive information, has been secured and taken offline, RBNZ said. 

RBNZ said the compromised data may include some commercially and personally sensitive information.

The bank would not provide any further details such as how and when the data breach took place, claiming doing so could adversely impact its investigation and the steps taken to mitigate the breach.

Accellion told iTnews that it was made aware of a vulnerability in its "legacy FTA software" in mid-December last year.

The vulnerability was resolved and a patch released for FTA within 72 hours, a spokesperson for the vendor said, adding that "less than 50 customers [were] affected."

Accellion said the FTA is a 20-year-old product for large file transfers. 

"While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to kiteworks, the modern enterprise content firewall platform, for the highest level of security and confidence," the spokesperson said.

With the FTA now offline, RBNZ is working with users of the system to find alternative ways to securely share data.

Other systems were not impacted by the data breach, RBNZ said.

“Our core functions and New Zealand’s financial system remain sound, and Te Pūtea Matua [RBNZ] is open for business. This includes our markets operations and management of the cash and payments systems,” Orr said.