πŸ”’breach.co.nz Β· the NZ & Australia breach register πŸ›‘οΈ A Govern service
Register β€Ί πŸ‡³πŸ‡Ώ NZ β€Ί Government

Reserve Bank of New Zealand (Accellion FTA)

πŸ‡³πŸ‡Ώ Wellington Β· Reserve Bank of New Zealand β€” Te PΕ«tea Matua Β· Record NZ-2021-0009
● Confirmed
People affected
Not disclosed
Breach date
2020-12
Regulator
NZ Privacy Commissioner
Trust tier
A Β· Confirmed

Data exposed

Commercially and personally sensitive information held in a third-party file-transfer service Company-confirmed

Confidence: Confirmed = regulator/court Β· Company-confirmed = the organisation's own disclosure Β· Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In late 2020 / early 2021 the Reserve Bank of New Zealand disclosed that a third-party file-transfer application (Accellion FTA) it used had been illegally accessed, exposing commercially and personally sensitive information held in that service [rbnz]. The Bank commissioned an independent review and reported the incident to authorities. The number of individuals affected was not officially quantified and is not estimated here.

Timeline

  • 2020-12 β€” Accellion FTA file-transfer service compromised (global supply-chain attack) [rbnz].
  • 2021-01 β€” RBNZ publicly disclosed the breach and began its response [rbnz].

Current status

Resolved, following an independent review and remediation. [rbnz]

Why it matters

A textbook supply-chain breach: the Bank itself wasn’t hacked directly β€” a widely-used file-transfer tool was β€” showing how third-party software can expose even a central bank.