The data breach of the Reserve Bank of New Zealand has been attributed to the compromise of a third party file sharing service.
“A third party file sharing service provided by Accellion called FTA (File Transfer Application), used by the Bank to share and store some sensitive information, was illegally accessed,” the bank announced in a January 11 press release. “We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.”
Accellion has since announced that it had released a patch for FTA in a separate press release, noting that its FTA product was twenty years old and was “legacy” software. The company has reportedly encouraged FTA users to update to a newer and more secure product since at least 2019.
“Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected,” the press release stated.
Acellion maintains that The Reserve Bank of New Zealand had been notified of the vulnerability in the FTA software in mid-December prior to the breach, which runs counter to the bank’s claims that the patch was not made available to them until December 24, less than a day before the data breach.
