ITP Techblog

Brought to you by IT Professionals NZ
Menu
« Back to Industry News

Lessons from the RBNZ hack - update software and use it for its intended purpose

Peter Griffin, Contributor. 01 June 2021, 10:14 am

A report into the data breach at the Reserve Bank has revealed that the bank was using third-party file-sharing software as a data repository and collaboration tool, worsening the impact of the hacking attack.

The Reserve Bank was hacked on Christmas Day last year when there was a breach of file transfer application (FTA) software provided by a US company called Accellion. Confidential Reserve Bank data was downloaded and the Bank went public with news of the attack in February. 

Now a KPMG public summary of its report into the data breach has found fault with the Reserve Bank's internal practices as well as a failure by Accellion to send crucial automated email notifications in December that would have alerted the Bank that it urgently needed to patch its software. 

Complicating matters, other "alerts of potentially malicious activity" on the Bank's file-sharing system weren't accessed by staff in December.

Despite other Accellion customers being affected, including the Australian Securities and Investment Commission and Transport for New South Wales, Accellion doesn't appear to have picked up the phone to contact the Bank to alert it - other than via the automated emails that didn't get through.

"This information, if provided in a timely manner, is highly likely to have significantly influenced key decisions that were being made by the Bank at the time," KPMG concluded.

Patchy security processes

The RBNZ only found out about the security exploit in Accellion's software on January 6, by which point hackers were already inside the bank's file-sharing software. It contained the breach and patched the system the following day.

From that point on, KPMG noted, the Bank's handling of the data breach was in line with best-practice. But by then, the damage was done.

While Accellion's software was security compliant when the hack occurred, our central bank wasn't using the most up to date and secure Kiteworks product which Accellion had recommended it upgrade to in 2017. In fact, the version the Bank was using was due to reach the end of its support life in April this year. The bank chose not to upgrade earlier based on the cost of the move. 

Screenshot 2021-06-01 at 10.13.08 AM.png

While a failure of automated and human checks and balances failed to alert the Bank to the seriousness of the breach, the situation was exacerbated due to the Bank using the file-sharing system for purposes beyond its intended use.

"Working practices evolved over time to the point where the System was also used as an information repository and collaboration tool, which was not in adherence with the Bank's 2014 guidelines on acceptable use of the System. Adherence would have significantly reduced the volume of information at risk" reported KPMG.

The Bank's data governance measures weren't up to scratch and KPMG has recommended the Bank "develop a formal enterprise framework for data/information management that includes a formally approved enterprise-wide classification standard".

That would determine where data can be stored and what data can be sent via file-sharing software. Among the other recommendations from KPMG was increasing staff awareness of cybersecurity, improve continuous monitoring of its systems and conduct "more frequent incident simulations".


Comments

You must be logged in in order to post comments. Log In


Web Development by The Logic Studio