John Edwards (Privacy Commissioner)
The Office of the Privacy Commissioner has issued its first compliance notice since receiving new powers under the Privacy Act 2020 to the Reserve Bank of New Zealand (RBNZ), the move triggered by a cyber attack in December last year.
In early January, the Reserve Bank of New Zealand – Te Pūtea Matua – revealed it was responding ‘with urgency’ to a breach of a third-party file sharing service used to share and store some sensitive information.
It emerged that, in December 2020, the Reserve Bank had become the victim of a cyber attack, which raised the possibility of systemic weaknesses in the RBNZ systems and processes for protecting personal information.
The breach occurred via a legacy Accellion file sharing system called File Transfer Application – FTA, which the bank has since replaced with a new system.
As a result, RBNZ instigated an internal and external review to identify any shortcomings in its operations.
As part of the investigation into the breach the Bank engaged KPMG to undertake an independent review of its systems and processes. The review revealed multiple areas of non-compliance with Privacy Principle 5 – storage and security of personal information.
Following the review of the privacy breach, the Privacy Commissioner determined that the Reserve Bank failed to adequately protect a subset of personal information it held despite security safeguards.
The Reserve Bank has now instigated a programme of work to improve policies and processes for protecting personal information.
The compliance notice issued by the Privacy Commissioner as a result of the incident is designed to prov ..
Support the originator by clicking the read the rest link below.