Cyber Incident Victim: Bank of Papua New Guinea

On February 21, 2025, the Bank of Papua New Guinea's cybersecurity team detected unusual network activity occurring within an isolated test environment. This test environment was separate from the Bank's critical network infrastructure. The detection prompted immediate investigation and response actions by the team. By February 23, 2025, the Bank confirmed that the identified cyber incident had been fully contained and resolved. Throughout this period, the Bank emphasized that the incident was confined solely to the isolated test environment and did not extend to operational systems. The Bank of Papua New Guinea publicly announced these details in a release dated February 27, 2025, assuring stakeholders of the incident's resolution.

The Bank of Papua New Guinea explicitly stated that the cyber incident had no impact on its financial data, stakeholder data, or banking systems. Banking operations continued without disruption throughout the detection and containment period. BPNG clarified that this incident was entirely separate from another recent cybersecurity event occurring elsewhere in Papua New Guinea, noting differences in methods and targeted systems between the two events. The Bank reiterated that its core banking operations, financial systems, and stakeholder data remained secure at all times. As part of its ongoing cybersecurity commitment, BPNG highlighted its efforts to strengthen its security framework through enhanced monitoring and international collaboration. All essential banking services remained fully operational and protected by internationally recognised security measures following the incident. The Bank maintained its commitment to upholding the highest security standards to safeguard the stability of Papua New Guinea's financial system.