New Zealand’s central bank Te Pūtea Matua/RBNZ says it is “responding with urgency” to a breach of one of its data systems — after a third party file sharing service “used by the Bank to share and store some sensitive information” was illegally accessed.
The bank did not name the third party service, but the incident comes months after it moved a range of services to the public cloud. It also raises troubling questions for New Zealand’s authorities, coming as it does after the country’s stock exchange NZX Ltd was forced to halt trading on four days in August following a DDoS attack.
Governor Adrian Orr said Sunday the breach has been contained, and the Bank is treating the matter with the highest priority: “We are working closely with domestic and international cyber security experts and other relevant authorities as part of our investigation and response to this malicious attack. The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information.”
New Zealand central bank data breach: Implications still unclear
“The system has been secured and taken offline until we have completed our initial investigations. It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed.
He added: “Our core functions remain sound and operational.”
The bank’s phrasing suggests that one cause of the incident could (The Stack speculates) have been the bank leaving cloud-based storage services inproperly configured, resulting in their illegal access. The RBNZ recently shifted a range of data sets onto AWS, with CIO Scott Fisher telling the publication Central Banking that the central bank had seen a “smooth exit from our on-premise data centres.”
As Central Banking‘s Dan Hinge noted in October 2020: “The central bank’s financial markets department has already moved to the public cloud, with many of its data sources loaded into RBNZ’s new Datahub. The data and statistics teams, as well as other departments, are now following suit.”
In 2019 McAfee found (after analysing aggregated event data across “millions of cloud users and billions of events”) that 99% of misconfigurations go unnoticed by companies using cloud IaaS, saying: “The enterprise companies we spoke to told us that they were aware of, on average, 37 misconfiguration incidents per month. Yet our real-world data shows that companies actually experience closer to 3,500 such incidents.”