Reserve Bank of New Zealand investigates illegal access of third-party system

Compromised data may include some commercially and personally sensitive information.

The Reserve Bank of New Zealand -- Te Pūtea Matua -- on Monday said it was still responding "with urgency" to an illegal breach of one of its systems.

The breach was of a third-party file sharing service provided by California-based Accellion. The bank uses its FTA file transfer product to share information with external stakeholders.

While the system has been secured and taken offline, and the breach described as contained, the Reserve Bank said it would take some time to determine the impact, with an analysis of the potentially affected information underway.

The bank is still looking to confirm the nature and extent of information that has been potentially accessed. It said compromised data may include some commercially and personally sensitive information.

The bank said it is communicating with system users about alternative ways to securely share data.

"We are actively working with domestic and international cybersecurity experts and other relevant authorities as part of our investigation. This includes the GCSB's National Cyber Security Centre which has been notified and is providing guidance and advice," Governor Adrian Orr said.

"We have been advised by the third party provider that this wasn't a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised."

Orr said providing further details could adversely affect the investigation and the steps being taken to mitigate the breach.

"We recognise the public interest in this incident however we are not in a position to provide further details at this time," he said.

The Reserve Bank disclosed the breach on Sunday.

Across the ditch in Australia, it was reported last week that private details of every Tasmanian who has called an ambulance since November last year were published online by a third party. The ABC said the list, appearing as Ambulance Tasmania's paging system -- which has since been taken offline -- was still updating each time paramedics are dispatched.

The data included the addresses of patients, their condition, HIV status, age, and gender. 

Reports indicate a police investigation and an internal review by the Tasmanian Department of Health are underway.

MORE FROM NEW ZEALAND