New Zealand central bank boss apologises over cyber attack

The Reserve Bank of New Zealand said a third-party file-sharing service had been illegally accessed.
The Reserve Bank of New Zealand said a third-party file-sharing service had been illegally accessed.PHOTO: REUTERS

WELLINGTON (AFP) - New Zealand's central bank chief apologised on Friday (Jan 15) for failings that allowed a "significant" and "malicious" cyber attack to occur, and ordered an independent investigation.

The Reserve Bank of New Zealand revealed the breach on Sunday, saying a third-party file-sharing service that stored sensitive information had been illegally accessed.

Few details have been released since, aside from the bank saying the application at the centre of the breach was provided by US-based firm Accellion.

Governor Adrian Orr confirmed on Friday that the data breach was significant, but had been contained, and the bank was operating normally, as were New Zealand's financial institutions.

"We apologise unreservedly to all of those impacted by the breach. Personally, I own this issue and I am disappointed and sorry," he said in a statement.

"While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement, the bank has also fallen short of the standards expected by our stakeholders."

Mr Orr acknowledged "there are serious questions that need to be answered about how this incident occurred".

"In addition to the forensic cyber investigation currently underway, we have appointed an independent third party to undertake a comprehensive general review of this incident," he said.

Mr Orr pledged to be as transparent as possible, but said providing further details at the moment could adversely affect the probe.

In its latest report, government agency CERT (Computer Emergency Response Team) said cyber attacks had increased 33 per cent on-year in New Zealand.

The country's stock exchange was targeted by sustained DDoS (distributed denial of service) attacks in August, forcing trading to be halted on four consecutive days.