Reserve Bank governor Adrian Orr apologises over data breach

Author
Grant Bradley, NZ Herald,
Publish Date
Fri, 15 Jan 2021, 4:24PM
Reserve Bank Governor Adrian Orr. Photo / Mark Mitchell
Reserve Bank Governor Adrian Orr. Photo / Mark Mitchell

Reserve Bank governor Adrian Orr apologises over data breach

Author
Grant Bradley, NZ Herald,
Publish Date
Fri, 15 Jan 2021, 4:24PM

Reserve Bank governor Adrian Orr says he "personally owns the issue'' of a serious data breach and has brought in an independent investigator.

Orr said this week's malicious and illegal breach of a file-sharing application used by the central bank was significant.

"We apologise unreservedly to all of those impacted by the breach. Personally, I own this issue and I am disappointed and sorry," he said.

The data breach follows a May 2020 consultation document by the bank's chief information officer, Scott Fisher, that highlighted the need for more investment in IT, and a sweeping restructure of its IT structure and personnel.

Fisher's report said there was "high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms".

Orr today said New Zealand's financial system and institutions remain sound, and the bank, Te Pūtea Matua, was open for business. The standalone file transfer application system that was breached has been secured and closed.

"Our investigation makes it clear we are dealing with a significant data breach. While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement.''

The bank had also fallen short of the standards expected by its stakeholders.

A detailed forensic cyber investigation is under way and the bank is working directly with affected stakeholders whose information may have been breached.

"We recognise the public interest in this incident and we acknowledge there are serious questions that need to be answered about how this occurred and how to strengthen our systems and processes," said Orr.

In addition to the forensic cyber investigation, the bank had appointed an independent third party to undertake a comprehensive general review of the breach.

''We will be as transparent and clear as possible as this progresses, and will release the review's terms of reference shortly."

The bank's immediate focus was on working directly with system users and those who may have had their information compromised. Up to 30 customers around the world could have been affected.

''It is a complex process and accuracy and security are important. As our investigations progress, we are prioritising direct engagement with institutions and individuals affected.''

Orr thanked stakeholders for their patience and understanding.

"Be assured, we are taking action. We are working closely with public authorities and utilising international experts as we respond. We are doing so in a whole of Government framework, utilising the national security system."

He said the Reserve Bank was not in a position to provide further details on the investigation at this time as it could adversely affect the investigation and the steps being taken to mitigate the breach.