Reserve Bank governor Adrian Orr has called in an independent investigator to review a “malicious and illegal breach” at the central bank and apologised for letting down the public.
The bank announced on Sunday that a file-sharing application, known as Accellion, had been compromised, potentially exposing personal and commercially sensitive information.
“We apologise unreservedly to all affected parties for this breach,” Orr said in a recorded statement released on Friday.
“I personally own the issue. I am very sorry and I am very disappointed to be here giving this news.”
Earlier this week, it was revealed the Bank had been warned in mid-December of a critical vulnerability in the third-party file-sharing service. The Bank says the application has now been shut down and secured.
Orr said while service levels had been below what the bank would have accepted, the bank also took some responsibility.
“We accept that our actions to date have fallen short of the public’s expectations.”
The bank was giving the matter its full attention and had launched a detailed forensic cyber investigation, Orr said.
“Be assured, we are taking action,” Orr said. “We are working closely with public authorities and utilising international expertise as necessary.”
An independent reviewer had also been commissioned to conduct a full inquiry due to the “enormous public interest”.
“We will be transparent and as clear as is possible as this review progresses.
“There are serious questions to be answered: how this incident occurred and how to strengthen our systems and processes.”
The review’s terms of reference would be released publicly shortly.
“I’m not in a position to provide further details on the investigation at this stage as any further details could adversely affect… the steps being taken to mitigate the breach,” Orr said.
“I want to finish by saying how deeply this has impacted us at the Bank and how important it is being prioritised for us personally.”