[BreachExchange] Accellion hack behind Reserve Bank of NZ data breach

Destry Winant destry at riskbasedsecurity.com
Thu Jan 14 11:08:41 EST 2021 

https://www.itnews.com.au/news/accellion-hack-behind-reserve-bank-of-nz-data-breach-559642

File transfer application illegally accessed.

The Reserve Bank of New Zealand, which yesterday disclosed it had
suffered a data breach, now says it was caught up in a hack of
enterprise data protection provider Accellion.

Accellion's file transfer appliance (FTA) was accessed illegally, RBNZ
said in a statement.

“We have been advised by the third party provider that this wasn’t a
specific attack on the Reserve Bank, and other users of the file
sharing application were also compromised,” RBNZ governer Adrian Orr
said.

The FTA system, which was used to store and share sensitive
information, has been secured and taken offline, RBNZ said.

RBNZ said the compromised data may include some commercially and
personally sensitive information.

The bank would not provide any further details such as how and when
the data breach took place, claiming doing so could adversely impact
its investigation and the steps taken to mitigate the breach.

Accellion told iTnews that it was made aware of a vulnerability in its
"legacy FTA software" in mid-December last year.

The vulnerability was resolved and a patch released for FTA within 72
hours, a spokesperson for the vendor said, adding that "less than 50
customers [were] affected."

Accellion said the FTA is a 20-year-old product for large file transfers.

"While Accellion maintains tight security standards for its legacy FTA
product, we strongly encourage our customers to update to kiteworks,
the modern enterprise content firewall platform, for the highest level
of security and confidence," the spokesperson said.

With the FTA now offline, RBNZ is working with users of the system to
find alternative ways to securely share data.

Other systems were not impacted by the data breach, RBNZ said.

“Our core functions and New Zealand’s financial system remain sound,
and Te Pūtea Matua [RBNZ] is open for business. This includes our
markets operations and management of the cash and payments systems,”
Orr said.

More information about the BreachExchange mailing list