Incident: Cyberattack on RBNZ's File Sharing Service Leads to Data Breach

Published Date: 2021-01-14

Postmortem Analysis
Timeline 1. The software failure incident happened recently as per the article [109747]. Estimation: Step 1: The article mentions that the breach was first announced on Sunday, and it was published on January 14, 2021. Step 2: The article was published on January 14, 2021. Step 3: Considering the article was published shortly after the incident was announced, the software failure incident likely occurred in early January 2021. Therefore, the software failure incident likely occurred in early January 2021.
System 1. Legacy File Transfer Appliance (FTA) by Accellion [109747]
Responsible Organization 1. A malicious third party committed the cyberattack on the Reserve Bank of New Zealand [109747]. 2. The vulnerability in the legacy File Transfer Appliance (FTA) software provided by Accellion allowed the breach to occur [109747].
Impacted Organization 1. Reserve Bank of New Zealand (RBNZ) [Article 109747]
Software Causes 1. The software cause of the failure incident was a vulnerability in the legacy File Transfer Appliance (FTA) provided by Accellion, a 20-year old product specializing in large file transfers, which was illegally accessed by hackers [109747].
Non-software Causes 1. Lack of timely response and patching: The delay in identifying the issue, creating a patch, and communicating it allowed the hackers to exploit the vulnerability [109747]. 2. Insufficient proactive measures: The failure to upgrade the 20-year old File Transfer Appliance software despite being aware of risks to the IT infrastructure [109747].
Impacts 1. The software failure incident led to a serious data breach at the Reserve Bank of New Zealand (RBNZ) [109747]. 2. The breach compromised the security and confidentiality of data held by the central bank [109747]. 3. The incident caused disruption and raised concerns about the standards of data protection and service provisions at RBNZ [109747]. 4. The breach highlighted the vulnerability of the legacy File Transfer Appliance (FTA) software used by RBNZ for large file transfers [109747]. 5. The breach resulted in the need for an independent investigation and review of the incident to understand the extent of the impact and to take necessary steps for mitigation [109747].
Preventions 1. Regularly updating and patching software: The incident involving the breach at the Reserve Bank of New Zealand (RBNZ) could have been prevented if the RBNZ had regularly updated and patched the 20-year old File Transfer Appliance (FTA) software [109747]. 2. Timely communication and implementation of patches: Faster communication and implementation of patches after identifying vulnerabilities in the software could have prevented the hackers from exploiting the system, as highlighted by Dave Parry, a professor of computer science at Auckland University of Technology [109747].
Fixes 1. Upgrading the 20-year old File Transfer Appliance (FTA) software to the latest version to prevent vulnerabilities exploited by hackers [109747]. 2. Implementing a more efficient process for identifying issues, releasing patches, and communicating them promptly to prevent hackers from taking advantage of the time gap [109747].
References 1. Reserve Bank of New Zealand (RBNZ) [Article 109747] 2. Governor Adrian Orr [Article 109747] 3. Accellion [Article 109747] 4. Dave Parry, professor of computer science at Auckland University of Technology [Article 109747]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident having happened again at one_organization: The Reserve Bank of New Zealand (RBNZ) experienced a serious data breach due to a cyberattack involving a file sharing service provided by Accellion. This incident occurred just months after New Zealand’s stock exchange operator faced distributed denial of service attacks that disrupted trading for several days [109747]. (b) The software failure incident having happened again at multiple_organization: There is no specific mention in the provided article about similar incidents happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident in the article can be attributed to the design phase. The breach at the Reserve Bank of New Zealand (RBNZ) occurred due to a vulnerability in the legacy File Transfer Appliance (FTA), a 20-year old product specialized in large file transfers. Accellion, the provider of the file sharing service, identified the vulnerability in mid-December and released a patch within 72 hours to the affected customers. However, the time taken between identifying the issue, creating a patch, and communicating it allowed the hackers to exploit the vulnerability [109747]. (b) The software failure incident can also be linked to the operation phase. The breach was a result of the system being illegally accessed, indicating a failure in the operation or misuse of the system. Despite being aware of the risks to its IT infrastructure, the RBNZ did not upgrade the 20-year old FTA software in time, which contributed to the breach. The delay in addressing the vulnerability and patching the system allowed the hackers to exploit the weakness [109747].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident at the Reserve Bank of New Zealand (RBNZ) was partially within the system's boundary. The breach occurred due to a vulnerability in the legacy File Transfer Appliance (FTA), a 20-year old product used for large file transfers. Accellion, the provider of the file sharing service, identified the vulnerability in mid-December and released a patch within 72 hours to the affected customers. However, the delay in identifying the issue, patching it, and communicating it allowed the hackers to exploit the vulnerability [109747]. (b) outside_system: The software failure incident at RBNZ also had contributing factors that originated from outside the system. The breach was a result of a cyberattack on the file sharing service provided by Accellion, a California-based company. The attackers illegally accessed the service, leading to a serious data breach at the central bank. This external cyberattack compromised the security of the system and resulted in significant data implications for RBNZ [109747].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case occurred due to non-human actions, specifically a cyberattack on the Reserve Bank of New Zealand's file sharing service provided by Accellion. The breach was a result of a vulnerability in Accellion's legacy File Transfer Appliance (FTA) product, which was exploited by malicious third parties [109747]. (b) Human actions also played a role in this software failure incident as the head of the Reserve Bank of New Zealand took ownership of the issue, apologizing for falling short of the standards expected by stakeholders. Additionally, the delay in identifying the issue, making a patch, and communicating it allowed the hackers to exploit the vulnerability [109747].
Dimension (Hardware/Software) software (a) The software failure incident in the article was not directly attributed to hardware issues. The breach at the Reserve Bank of New Zealand (RBNZ) was a result of a cyberattack on a file sharing service provided by Accellion, a software company based in California. The breach was due to the illegal access of Accellion's legacy File Transfer Appliance (FTA) software, which was a 20-year-old product specializing in large file transfers [109747]. (b) The software failure incident in the article was primarily attributed to contributing factors originating in software. The breach at RBNZ occurred due to a vulnerability in Accellion's FTA software, which was exploited by hackers. The delay in identifying the issue, creating a patch, and communicating it allowed the hackers to act swiftly, indicating a software-related failure in the incident [109747].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case was malicious. The breach at the Reserve Bank of New Zealand was a result of a cyberattack where a file sharing service provided by Accellion was illegally accessed by a malicious third party [109747]. The governor of the bank, Adrian Orr, acknowledged that a malicious third party committed the crime, indicating that the failure was due to contributing factors introduced by humans with the intent to harm the system.
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident at the Reserve Bank of New Zealand (RBNZ) was primarily due to poor decisions. The incident involved a cyberattack that led to a serious data breach at the central bank. The breach occurred through a file sharing service provided by Accellion, a 20-year old product that specialises in large file transfers. Accellion was aware of the vulnerability in its legacy File Transfer Appliance (FTA) in mid-December but took 72 hours to release a patch to less than 50 affected customers [109747]. The head of RBNZ, Adrian Orr, took ownership of the issue and expressed disappointment, acknowledging that the breach was serious and had significant data implications. He mentioned that the bank had fallen short of the standards expected by stakeholders. Additionally, Dave Parry, a professor of computer science, highlighted that the time taken to identify the issue, make a patch, and communicate it allowed the hackers to act faster. Parry suggested that RBNZ could have upgraded the 20-year old FTA software to mitigate the risks [109747].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the article can be attributed to development incompetence. The incident occurred due to a vulnerability in a 20-year old product, the File Transfer Appliance (FTA), provided by Accellion. The company was aware of the vulnerability in mid-December but took 72 hours to release a patch to less than 50 affected customers [109747]. (b) Additionally, the incident can also be considered accidental as the breach was caused by a malicious third party exploiting the vulnerability in the legacy FTA software. The delay in identifying the issue, patching it, and communicating it allowed the hackers to act, indicating an accidental failure in the incident response process [109747].
Duration temporary The software failure incident reported in the article was temporary. The breach of the file sharing service provided by Accellion was due to a vulnerability in its legacy File Transfer Appliance (FTA) product, which was promptly resolved with a patch released within 72 hours to the affected customers [109747]. The breach was not a permanent failure but rather a temporary incident caused by specific circumstances related to the vulnerability in the software.
Behaviour other (a) crash: The software failure incident in Article 109747 is not described as a crash where the system loses state and does not perform any of its intended functions. (b) omission: The incident does not mention the software omitting to perform its intended functions at an instance(s). (c) timing: The incident does not indicate that the software performed its intended functions correctly but too late or too early. (d) value: The software failure incident in Article 109747 does not involve the system performing its intended functions incorrectly. (e) byzantine: The incident does not describe the software behaving erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident in Article 109747 is related to a cyberattack that led to a serious data breach at the central bank, indicating a security breach rather than a specific software behavior as described in options (a) to (e).

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at the Reserve Bank of New Zealand (RBNZ) resulted in a serious data breach, where a file sharing service provided by Accellion was illegally accessed, leading to significant data implications [109747]. The breach exposed a vulnerability in Accellion's legacy File Transfer Appliance (FTA) product, affecting less than 50 customers, including the RBNZ. As a result, sensitive data was compromised, indicating that people's data and information were impacted by the software failure incident.
Domain finance (a) The failed system was related to the finance industry as it affected the Reserve Bank of New Zealand (RBNZ), which is the central bank of New Zealand responsible for monetary policy and financial stability [Article 109747].

Sources

Back to List