[BreachExchange] New Zealand: Reserve Bank investigating potential leak of information after black-out fail

[Audrey McNeil]

http://www.stuff.co.nz/business/89068896/reserve-
bank-investigating-potential-leak-of-information-after-blackout-fail

The Reserve Bank of New Zealand may have accidentally released commercially
sensitive information about New Zealand's banks, after failing to properly
sanitise documents.

On Friday the bank confirmed it was conducting an investigation into why
information redacted from documents - meaning the information was meant to
be blacked out and unreadable - could still be read by those accessing them
on its website.

The documents were posted on the central bank's website on Thursday
afternoon, and were available for viewing until Friday morning.

While the Reserve Bank is refusing to say what information was available,
which banks were affected or even what steps were required to extract the
information, it is understood the banks consider the information available
to be commercially sensitive and a potential security breach.

READ MORE:
* Reserve Bank of NZ conducting probe into alleged leak of OCR decision on
March 10
* MediaWorks admits leaking Reserve Bank of New Zealand interest rate
decision
* If Wheeler goes, will the Reserve Bank opt for safety or maverick?

Some of the information could also be considered private, including the
direct telephone lines for chief executives of New Zealand's largest banks.

Customer information is not believed to have been included in the
documents, the head of the banking lobby group said.

On Thursday the Wellington-headquartered Reserve Bank issued its final
policy on bank outsourcing, dictating what functions the four main banks
could outsource to their Australian parent companies.

At the same time the bank uploaded a number of related documents, including
three with substantial sections redacted.

"In practise, some of the information remained readable if certain steps
were taken," a spokesman for the Reserve Bank said on Friday.

The spokesman declined to say whether readers would have been able to
extract the information by using the copy and paste functions of computers.

"We've informed the affected parties, corrected the documents, ensured the
blacked-out information is completely unreadable, and of course we are
investigating how it happened."

The spokesman would not describe what kind of information was able to be
extracted.

"The stuff that was redacted was redacted for a reason."

The Reserve Bank has not apologised to the banks or admitted it made a
mistake because "we're not at that stage" the spokesman said.

"Our focus is on identifying what happened, how it happened, so we can make
sure it never happens again."

Karen Scott-Howman, chief executive of the New Zealand Bankers' Association
said the industry was aware of the problem.

"We routinely, as banks and the bankers' association, provide commercially
sensitive information to regulators, and we expect it to be kept secure."

Scott-Howman said the association understood that some of the information
was commercially sensitive, but that no customer information had been
disclosed.

The Reserve Bank has strict information disclosure standards.

After MediaWorks admitted disclosing a cut in the official cash rate from
within a media lock-up, the central bank immediately called an end to the
long running practice of giving journalists who came to the bank embargoed
copies of its documents shortly ahead of the public release.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170203/c1b3d107/attachment.html>