14 DAY TRIAL // The Reserve Bank of New Zealand was hacked after Accellion failed to post a warning about an actively exploited vulnerability with available patches in its File Transfer Appliance (FTA), according to Itnews.
While Accellion had updates available for its FTA product in December 2020 and was alerted to the vulnerability by security vendor FireEye as early as the 16th of the same month, the RBNZ was not notified of the issue.
KPMG found in a commissioned post-mortem that Accellion's email tool failed to send notices and therefore, the bank was not notified until January 6, 2021.
The theft occurred on Christmas Day 2020, and the RBNZ made the data breach public on January 11, stating that it involved commercial and personally sensitive information.
Adrian Orr, the governor of Reserve Bank, confirmed KPMG's findings and blamed Accellion for the bulk of the hack.
Accellion is blamed for RBNZ’s cyberattack
Orr stated, “We were over-reliant on Accellion – the supplier of the file transfer appliance – to alert us to any vulnerabilities in their system".
"In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach".
"We received no advance warning".
However, the RBNZ also breached its own 2014 criteria for approved use of FTA.
FTA was used for data storage and collaboration, as well as secure file transfers, putting a larger amount of data at risk.
In addition, despite the fact that initial warnings of potentially malicious activity on FTA have been enabled by default since 2015, RBNZ support staff have failed to notice or act on them.
RBNZ also had not completed a certification and accreditation process to understand and ensure that all significant risks on the FTA were identified and addressed.
Orr went on to say that the RBNZ has taken full responsibility for its own shortcomings identified by KPMG.
KPMG suggested that event simulations be conducted more frequently to ensure that bank staff are familiar with the bank's Major Incident Response Plan (MIRP).
While staff adhered to portions of the MIRP, KPMG observed that not all sections of the plan were strictly followed when it came to the use of defined playbooks and the initial assignment of the incident priority report.