NZ central bank served compliance notice after data breach

The Reserve Bank of New Zealand (RBNZ or Te Putea Matua) has become the first organisation in New Zealand to be issued with a compliance notice for breaching the Privacy Act 2020.

New Zealand’s personal information watchdog, the Office of the Privacy Commissioner (Privacy Commission), has issued a compliance notice to the Reserve Bank of New Zealand (RBNZ) over a cyber attack that resulted in a data breach last December. 

The RBNZ reported the breach to the Privacy Commissioner in January 2021, raising the possibility of systemic weaknesses in the RBNZ systems and processes for protecting personal information.

These are believed to relate to “weakness in one of the agency’s third-party systems and some of [its] processes”.

According to the RBNZ, KPMG was enlisted to conduct an independent review of RBNZ’s systems and processes, the review finding that there were multiple areas of non-compliance with privacy principle 5 of New Zealand’s Privacy Act 2020. 

Principle 5 of the Privacy Act states that any agency that holds personal information must have reasonable security safeguards in place to protect personal privacy.

Following the review, the Privacy Commissioner determined that, despite the presence of existing security safeguards, the RBNZ failed to adequately protect a subset of personal information it possessed. 

The commissioner therefore issued a compliance notice to the RBNZ, the first issued since he received these new powers in December 2020.

The RBNZ will now need to report to the Privacy Commissioner regarding the improvements it will make to its policies and procedures to ensure that its systems are more secure.

Speaking of the cyber attack, Privacy Commissioner John Edwards said that this was a “significant breach of one of the bank’s security systems and raised the possibility of systemic weakness in the bank’s systems and processes for protecting personal information”.

“We are heartened by the speed and thoroughness of the bank’s response. We were notified as soon as the cyber-attack was identified, and they have been constructive and open throughout the compliance investigation process. We are pleased to see the positive way they’ve dealt with the aftermath of the attack,” he said.

“Our role as a regulator is to deliver better privacy outcomes for all New Zealanders, using the powers at our disposal. Where we identify issues that compromise the security of personal information, we will use our compliance powers to make sure that these risks are addressed.

“This compliance notice also provides a learning opportunity for the bank, and for other agencies. We appreciate the maturity and openness the bank have shown throughout this process, and hope that others, too, can learn from this situation.”

Mr Edwards later added that while the Privacy Act doesn’t require all compliance notices to be published, it does allow those believed to be within the public’s interest to be released, and that the RBNZ notice met these standards.   

“Publishing the full details of the compliance notice might compromise some of the ongoing efforts to fully rectify the matters that have been identified,” Mr Edwards explained. 

“However, I have decided it is necessary to publicly acknowledge the steps being taken by the bank, to provide assurance to the public that these issues are being addressed.”

Reserve Bank governor Adrian Orr added that the Privacy Commission’s findings were “consistent with the findings and recommendations in the KPMG review”. 

He said: “We accept these findings and take full responsibility for the shortfalls identified in our systems and processes.

“We have a detailed programme of work underway to address these. This work started shortly after the data breach incident through our business services improvement programme which continues to be a key priority for us here at Te Pūtea Matua.

“I would like to again thank the [the Privacy Commission] for their support throughout this incident and the collaborative approach they have taken during their investigation.”

The announcement follows the latest Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report that found that Australia’s financial and insurance services were the equal top-sixth sector for cyber-security incidents. 

The latest Notifiable Data Breaches Report, published by Office of the Australian Information Commissioner (OAIC) last month, reported similar findings with roughly 58 per cent of data breaches in Australia’s financial sector during the first half of 2021 considered to be malicious or criminal related. 

[Related: Momentum launches new cyber-security podcast]