Investigation continues into breach that resulted from attack against file-sharing service

The Reserve Bank of New Zealand has apologized for a “malicious and illegal” breach of customer data after a cyber-attack on a third-party service.

The Daily Swig recently reported that the bank – also known by the Māori name of Te Pūtea Matua – suffered a data breach after an unknown actor gained unauthorized access to a third-party file-sharing service.

Bank Governor Adrian Orr has since described the breach as “significant” and apologized “unreservedly” for the incident.

He added: “Personally, I own this issue and I am disappointed and sorry. Our investigation makes it clear we are dealing with a significant data breach.”

Orr added: “While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement, the bank has also fallen short of the standards expected by our stakeholders.”


READ MORE Data breach at New Zealand’s Reserve Bank after third-party service hack


It still isn’t clear how many individuals were impacted by the incident, though the bank did say it is currently conducting an investigation into the attack.

Orr said: “In addition to the forensic cyber investigation currently underway, we have appointed an independent third party to undertake a comprehensive general review of this incident.

“We will be as transparent and clear as possible as this progresses, and will release the review’s terms of reference shortly.”

In an earlier email to The Daily Swig, a spokesperson said they will not be releasing any further details.

Orr’s full statement can be viewed below:



Tightening up

The bank said it was working closely with public authorities as well as utilizing the National Security System, which is comprised of law enforcement, intelligence, and other defense agencies.

New Zealand updated its privacy laws late last year, tightening rules regarding data protection.

The Privacy Act 2020 mandates that organizations must report “serious” data breaches immediately if there is a “risk of harm”, which refers to any data that has been leaked outside of an organization or public body.

Under the act, data handlers could be fined up to NZ$10,000 ($7,000) for non-compliance.

The Office of the Privacy Commissioner can also make an official complaint to the Human Rights Tribunal, which carries a maximum penalty of NZ$230,000 ($162,000).


YOU MAY ALSO LIKE Ubiquiti urges password reset in response to third-party breach