Reserve Bank cyber attacks could be linked to data systems it uses

A cyber security expert says attacks like the latest on the Reserve Bank could be due to the type of data systems they are using.

The Reserve Bank revealed yesterday a third party file sharing service it uses, which contains some sensitive information, has been hacked.

It's the latest after a string of cyber attacks in the past year targeting several major organisations in New Zealand, including the New Zealand Stock Exchange - which had its servers knocked out of public view for nearly a week in August.

Titanium Defence cyber security expert Tony Grasso, who was the cyber lead at the Department of Internal Affairs, told Morning Report file sharing systems could weaken security.

Grasso said there was still lots of questions about the breach to be answered.

"The question that will be on my mind, and I'm sure this will be what they're looking at is, who got in, how did they get in, and more importantly, what information has been taken from this file share, but more interestingly than that, have they got from the file share onto the bank systems internally?"

However, he said it would be hard to say who could be behind the breach at this stage.

"You have to always keep in mind it may be a foreign intelligence national agency whenever something as big as the Reserve Bank ... any government department within reason, you always have to have that at the back of your mind.

"It would be interesting to find out how they were caught. Our detection systems here are good, if it's one of those systems that have come from another government agency, a more sensitive government agency, that may indicate it was a foreign actor, or these days criminal gangs are getting together and they've become an industry on their own and are really good at getting into organisations.

"Imagine the ransom you could put on the Reserve Bank if you encrypted all their data, for example."

Grasso hoped for a more detailed report from the Reserve Bank on who it could be.

"The Americans are very good at saying 'it was definitely a foreign government' and they normally name them as well. It would be good to know if it was that, if it was a criminal organisation or if was it a just a lone wolf, we have loads of these in our industry."

The Reserve Bank said sensitive info "may" have been breached.

The type of information exposed would depend on who the third party was, Grass said.

"A third party could be just an IT provider and they're just sharing architecture documents, that would be bad of course. But it could be information around Covid for example.

"If they were working with external agencies about the recovery of the company from Covid ... it could be papers around how we're planning for our recovery, I mean who knows.

"I would hope that sensitive stuff like that isn't held in a third party file server, I'm fairly sure it wouldn't be."

He said even if its own systems were very secure, having a third party who was insecure connecting to the systems could bring a threat.

Yesterday, Reserve Bank Governor Adrian Orr said they were investigating the breach with experts and authorities.

"The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information.

"It will take time to understand the full implications of this breach, and we are working with system users whose information may have been accessed. Our core functions remain sound and operational."

The Reserve Bank declined a request for an interview with Morning Report.

RNZ / Newshub