Full Report
A third-party file secure sharing supplier for the Reserve Bank of New Zealand was breached in a cyberattack.
Analysis Summary
# Incident Report: Accellion Breach Affecting New Zealand Central Bank
## Executive Summary
A cyberattack targeted Accellion, a third-party secure file-sharing vendor used by the Reserve Bank of New Zealand (RBNZ). The attack was not specific to RBNZ, as multiple other users of the Accellion File Transfer Application (FTA) were compromised. The incident resulted in the potential exposure of commercially and personally sensitive information stored within the RBNZ's secured files.
## Incident Details
- Discovery Date: January 12, 2021 (Date of public disclosure by RBNZ)
- Incident Date: Undisclosed, but occurred prior to January 12, 2021
- Affected Organization: Reserve Bank of New Zealand (RBNZ) via third-party vendor Accellion
- Sector: Financial Services / Central Banking
- Geography: New Zealand
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed
- Vector: Exploitation of Accellion's File Transfer Application (FTA).
- Details: Accellion, the third-party provider, suffered a cyberattack resulting in unauthorized access to its FTA platform used by clients like RBNZ.
### Lateral Movement
- Details: Not specified, as the attack targeted the vendor's platform hosting the data, not necessarily RBNZ's internal network directly.
### Data Exfiltration/Impact
- Details: The compromised data potentially includes commercially sensitive information and Personally Identifiable Information (PII). Multiple other organizations using the Accellion FTA were also impacted.
### Detection & Response
- Date/Time: RBNZ became aware and issued a statement on January 12, 2021.
- Details: RBNZ was advised by Accellion about the breach affecting other users. Investigations began, and RBNZ began working directly with affected stakeholders.
## Attack Methodology
- Initial Access: Exploitation/breach of the Accellion File Transfer Application (FTA).
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified (focus was on vendor platform vulnerability).
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Not specified.
- Collection: Gathering of commercially and personally sensitive information stored within the FTA.
- Exfiltration: Data extracted from the compromised Accellion servers/application.
- Impact: Confidentiality breach of data held on the third-party platform.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Sensitive commercial and personal information (PII) potentially exposed.
- Operational: Operational continuity procedures initiated by RBNZ following disclosure.
- Reputational: Potential impact due to the breach of a central bank's sensitive records.
## Indicators of Compromise
- Network indicators: No specific malicious IPs or domains were listed, as details were withheld for investigation purposes.
- File indicators: Not disclosed.
- Behavioral indicators: Unauthorized access and data exfiltration from the Accellion FTA environment.
## Response Actions
- Containment measures: Details withheld to protect investigation efforts.
- Eradication steps: Details withheld to protect investigation efforts.
- Recovery actions: RBNZ is working directly with affected stakeholders to mitigate the breach.
## Lessons Learned
- Supply Chain Risk: The incident highlights the significant vulnerability introduced by relying on third-party vendors (Accellion) that handle sensitive data. A single compromised vendor can lead to breaches across multiple organizations.
- Visibility: Organizations lack sufficient visibility into the security posture of their critical vendors.
## Recommendations
- Strengthen Vendor Risk Management (VRM) programs to rigorously assess the security posture of all third-party vendors, especially those handling sensitive or regulated data.
- Review contracts and security requirements for third-party file-sharing solutions, ensuring strong minimum security standards are met and regularly audited.
- Reduce reliance on third-party file-sharing solutions for highly sensitive data when possible, favoring internally managed, hardened infrastructure.