RBNZ governor Adrian Orr. /Supplied
The Reserve Bank of New Zealand was hacked after Accellion failed to send out a warning that its File Transfer Appliance (FTA) contained an actively exploited vulnerability with patches available.
While Accellion had patches for its FTA product available in December 2020, and was made aware by security vendor FireEye as early as the 16th of that month that the vulnerability was being exploited, RBNZ did not receive notification of the threat.
In a commissioned post-mortem, KPMG said that the email tool used by Accellion “failed to send … notifications and consquently the bank was not notified until January 6 2021.”
The hack took place on Christmas Day 2020, and the RBNZ went public about the data breach on January 11, noting it included commercially and personally sensitive information.
Reserve Bank governor Adrian Orr accepted KPMG’s finding, laying most of the blame for the hack on Accellion.
“We were over-reliant on Accellion – the supplier of the file transfer appliance – to alert us to any vulnerabilities in their system,” Orr said.
“In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach.
“We received no advance warning,” Orr said.
However, RBNZ breached its own 2014 guideliness on acceptable use of the FTA as well.
The FTA was used for information storage and collaboration as well as secure file transfers, which put a greater volume of information at risk.
Furthermore, RBNZ support staff did not identify or act on initial alerts of potential malicious activity on the FTA, even though these had been enabled by default since 2015.
A certification and accreditation process to understand and ensure that any key risks were identified and managed had not been done on the FTA by RBNZ either.
Orr added that RBNZ took full responsibility of its own shortfalls, as identified by KPMG.
KPMG recommended that more frequent incident simulations are conducted to ensure bank staff become familiar with its major incident response plan or MIRP.
While parts of the MIRP were followed by staff, KPMG noted there was not strict adherence to all aspects of the plan when it came to the use of defined playbooks, and the initial assignment of the incident priority report.
Orr acknowledged that controls and practices within the bank needed to be improved.
“If these practices were in place at the time of the illegal breach the impact would have been less,” Orr said.
Nevertheless, the governor added that he is confident that RBNZ had responded to the attack with urgency, precision and care.
Accellion’s FTA product is around 20 years old. A vulnerable version was exploited to attack Singtel, US supermarket chain Kroger as well as RBNZ, by installing the DEWMODE webshell.