Reserve Bank Governor Adrian Orr. Image / Mark Mitchell
Reserve Bank Governor, Adrian Orr, says he “personally has a case” for a serious data breach and has called an independent investigator.
Ur said this week’s malicious and illegal breach of the file-sharing app used by the central bank was significant.
“We apologize unreservedly to all those affected by the breach. Personally, I own this case and I am disappointed and sorry,” he said.
The data breach follows an advisory document in May 2020 by Scott Fisher, the bank’s chief information officer, which highlighted the need for more investment in information technology, and a comprehensive restructuring of the IT infrastructure and personnel.
The Fisher report said there is “high operational risk due to technical obsolescence and a lack of investment in security across many core technology platforms”.
Today Ur said that New Zealand’s financial system and institutions were still intact, and that the bank, Te Bhatia, was dead, was open to business. The hijacked standalone file transfer app system is locked and closed.
Our investigation shows that we are dealing with a major data breach. While a malicious third party committed the crime, we believe our Terms of Service did not live up to our agreement. ”
The bank also fell short of the standards that stakeholders had expected.
A detailed forensic investigation is taking place online and the bank is working directly with affected stakeholders whose information may have been breached.
“We recognize the public interest in this incident and acknowledge that there are serious questions that need to be answered about how this happened and how to strengthen our systems and processes,” Ur said.
In addition to the cyber forensic investigations, the bank has appointed an independent third party to conduct a comprehensive public review of the breach.
“We will be as transparent and clear as possible as this progresses, and will issue the terms of reference for the review soon.”
The bank’s immediate focus has been on working directly with users of the system and those whose information may have been compromised. It can affect up to 30 customers worldwide.
“It’s a complex process, and accuracy and security are important. As our investigations progress, we are prioritizing direct engagement with affected institutions and individuals.
Ur thanked the stakeholders for their patience and understanding.
“Rest assured, we are taking action. We are working closely with the public authorities and we are seeking the help of international experts as we respond. We are doing it in a complete governmental framework, using the national security system.”
He said the Reserve Bank is not in a position to provide further details about the investigation at this time as it may adversely affect the investigation and the steps being taken to mitigate the breach.