More On The NZ Reserve Bank Breach
Seems hackers broke into a secure file-sharing service called Accellion, based in California. The RBNZ was using that to exchange documents with the likes of banks and insurance companies. <https://www.stuff.co.nz/business/123911764/reserve-bank-reveals-more-details-of-cyberattack>
On Mon, 11 Jan 2021 18:20:07 +1300, I wrote:
Seems hackers broke into a secure file-sharing service called Accellion, based in California. The RBNZ was using that to exchange documents with the likes of banks and insurance companies.
There was a bug in the client software used by customers. The company issued a patch, but it appears the RBNZ was a little slow applying it <https://www.stuff.co.nz/business/123921564/reserve-bank-hack-bank-may-not-have-applied-patch-in-time>. Seems the software is rather old, dating back 20 years <https://www.stuff.co.nz/business/opinion-analysis/123922521/reserve-bank-hack-has-brought-its-capabilities-into-question>.
Seems hackers broke into a secure file-sharing service called Accellion, based in California. The RBNZ was using that to exchange documents with the likes of banks and insurance companies.
There was a bug in the client software used by customers. The company issued a patch, but it appears the RBNZ was a little slow applying it <https://www.stuff.co.nz/business/123921564/reserve-bank-hack-bank-may-not-have-applied-patch-in-time>.
Seems the software is rather old, dating back 20 years <https://www.stuff.co.nz/business/opinion-analysis/123922521/reserve-bank-hack-has-brought-its-capabilities-into-question>.
Considering that there are so many open-source tools out there... It's a shame... Just had a look at what the university uses, and it looks they use https://zend.to/ (according to bits in the html source code). Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 577-5304 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
On Mon, 11 Jan 2021 18:20:07 +1300, I wrote:
Seems hackers broke into a secure file-sharing service called Accellion, based in California.
Funny story: that same product has been exploited by other hackers, to steal confidential documents from aviation company Bombardier <https://www.theregister.com/2021/02/23/bombardier_clop_ransomware_leaks/>, among others.
On Mon, 11 Jan 2021 18:20:07 +1300, I wrote:
Seems hackers broke into a secure file-sharing service called Accellion, based in California. The RBNZ was using that to exchange documents with the likes of banks and insurance companies.
Followup: the RBNZ has been hit with a compliance notice from the Privacy Commissioner under Principle 5 of the Privacy Act <https://www.nzherald.co.nz/business/reserve-bank-hit-with-compliance-notice-from-privacy-commissioner-over-data-breach/GSMMPOPR2SCWIIYFFPR36OGAEU/>. In other words, it has failed to ensure reasonable safeguards against “loss, misuse or disclosure of personal information”. Failure to comply can mean a $10,000 fine.
I wrote:
Followup: the RBNZ has been hit with a compliance notice from the Privacy Commissioner under Principle 5 of the Privacy Act ...
Interesting to note, the current Privacy Commissioner is soon to leave us and take up a maybe-not-too-dissimilar post (“Information Commissioner”) in the UK <https://www.theregister.com/2021/09/13/new_uk_ico_promises_to/>. That article references a comment he made on Twitter in the aftermath of the Christchurch mosque shootings, where he described Facebook as “morally bankrupt pathological liars”. Since then, he has seemed to change his mind, and now says he will be “fair and impartial” in his dealings with Facebook and other social media networks.
participants (2)
-
Lawrence D'Oliveiro -
Peter Reutemann