A data breach at New Zealand’s central bank affected other customers of a file-sharing service, potentially exposing sensitive information, it has emerged.
The Reserve Bank of New Zealand issued a brief statement on Sunday noting that the incident affected a third-party file-sharing service used by the institution.
Although the breach has been contained, an urgent investigation into the unauthorized access has begun.
However, in an update on Monday, it revealed the name of the vendor affected: Accellion. The Palo Alto-headquartered firm’s File Transfer Application (FTA) was targeted by malicious third parties, presumably going after the sensitive info stored and shared via the service.
“We are actively working with domestic and international cybersecurity experts and other relevant authorities as part of our investigation. This includes the GCSB’s National Cyber Security Center which has been notified and is providing guidance and advice,” said governor Adrian Orr, in a statement.
“We have been advised by the third-party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.”
Reports claim that a vulnerability in the legacy FTA product was patched by Accellion in mid-December, hinting that those customers affected in this attack may not have updated their systems.
“Many organizations in New Zealand are still quite conservative when it comes to cyber-protection – with increased infrastructure complexity and dependencies on modern systems, this makes them more susceptible to external attacks and to internal mistakes caused by the human factor,” argued Acronis CISO, Kevin Reed.
“New Zealand is still ranked among the top 50 countries for cybersecurity, and has been stepping up on measures to boost its cyber-defenses, taking part in intelligence sharing with other major countries around the world – which, ironically, makes it a juicy target for attackers.”