Cyber Incident Victim: Reserve Bank of New Zealand
Date:
Jan 2021
Location:
New Zealand
Summary
The Reserve Bank of New Zealand experienced unauthorized access to sensitive information via a third-party file-sharing service, Accellion's File Transfer Application, which was compromised as part of a broader attack affecting multiple users of the legacy product. The breach was contained, and an urgent investigation involving domestic and international cybersecurity experts and authorities was initiated, with indications that the incident stemmed from exploitation of a previously patched vulnerability in the service. The bank emphasized that the attack was not specifically targeted at their institution, though the event highlighted systemic risks associated with outdated systems and the exposure of sensitive data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 10, 2021, the Reserve Bank of New Zealand (RBNZ) publicly disclosed a data breach involving unauthorized access to a third-party file-sharing service it utilized. The breach was identified as having been contained by the time of the announcement, though the bank initiated an urgent investigation into the incident. The following day, RBNZ revealed the service provider as Accellion, a Palo Alto-based company whose legacy File Transfer Application (FTA) had been compromised by malicious actors. The attackers exploited a vulnerability in Accellion’s FTA, which had been patched by the vendor in mid-December 2020, indicating that affected customers, including RBNZ, may not have applied the security update promptly. The bank clarified that the breach was not a targeted attack against its systems but part of a broader campaign impacting multiple users of Accellion’s file-sharing application. Sensitive information stored or transmitted through the service was potentially exposed, though the specific nature or scope of compromised data was not detailed in initial reports.
RBNZ engaged domestic and international cybersecurity experts to investigate the incident, collaborating with New Zealand’s Government Communications Security Bureau (GCSB) through its National Cyber Security Center for guidance and advisory support. Governor Adrian Orr emphasized the institution’s proactive coordination with relevant authorities while acknowledging the breach’s implications for stakeholders. The incident highlighted systemic risks associated with reliance on legacy software and delayed patch management, particularly for organizations managing critical financial infrastructure. Cybersecurity commentators noted New Zealand’s position as a top 50 country in global cybersecurity rankings but pointed to persistent vulnerabilities stemming from conservative cyber-protection practices and increasing infrastructure complexity. The breach underscored operational challenges in securing third-party dependencies, with the compromised Accellion FTA serving as a vector for attackers seeking sensitive data across multiple entities. No additional technical specifics regarding attacker methodologies, internal detection timelines, or definitive data impact were disclosed by RBNZ or Accellion in the immediate aftermath.