Friday Fry Up: The Reserve Bank data breach; NZ COVID tracing card an Aussie invention; Tech knight anointed

Friday Fry Up is Computerworld New Zealand’s weekly look at the world of IT.

NZ friday fry up logo
Getty Images

The Reserve Bank data breach—a week of it

There is never a good time for a data breach but this traditionally arid New Zealand news week in January, when most journalists have returned to work while most politicians are still on holiday, has got to be one of the worst.

On Sunday, 10 January, the Reserve Bank issued a short statement explaining that a third-party file sharing service it used had been illegally accessed. The system had been taken offline and alternative file-sharing methods sought.

But the story didn’t end there, as our sister publication Reseller News covered. It wasn’t alone and given the media interest, the Reserve Bank issued another statement on Monday, this time naming the service: Accellion’s FTA (File Transfer Application).

The following day, Accellion put out its own statement noting that when it became aware of an external threat it referred to as a ‘P0 vulnerability’—a worst-case vulnerability—in its FTA software it released a patch within 72 hours. It also pointed out that FTA is 20-year-old software and has fewer than 50 customers, whom Accellion has been urging to upgrade to the replacement software, Kiteworks, for some time.

So, was the Reserve Bank tardy in implementing the patch? It’s unclear. According to the Bleeping Computer site, time differences (Accellion is a US-based company) as well as timing (Christmas Eve) meant that the Reserve Bank didn’t get enough time to fully apply the patch effectively.

For its part, the Reserve Bank is keeping shtum, claiming that to provide further updates at this time could adversely affect the investigation and the steps being taken to mitigate the breach.

Another document in the public record relating to the breach was produced in May 2020 by Reserve Bank CIO Scott Fisher. It’s a proposal to implement a new digital strategy which involves personal changes to the IT team and is likely to have been written in line with New Zealand employment laws that mandate consultation with staff prior to restructuring. Fisher’s argument for the changes includes a table explaining the purpose of the changes, with the following explanation:

From high operational risk due to technical obsolescence and an underinvestment in security across many of the core technology platforms.

To lower operational risk through a phased migration to resilient platforms underpinning our business, and an uplift in our cyber security capability.

Later in the document, Fisher references Accellion and Kiteworks, so it’s probable that moving to Kiteworks is on the bank’s roadmap. No doubt this will all come out in due course as the bank, unlike the NZX (which suffered through days of a DDoS attack last year), is a government entity and so will be required to make the report public.

While the Reserve Bank noted that some commercially and personally sensitive information may have been accessed, as it often the case with data breaches, the real damage may have been to its—and potentially its vendor’s—reputation.

As for the IT team restructure, an RBNZ spokesperson gave Fry Up with this update: “The proposal referenced had a few changes made to it based on feedback but fundamentally the structure remained the same and the proposed changes implemented. We have completed recruitment for some roles whilst other are still to be filled.”

NZ COVID tracing card an Aussie invention

For those returning to work after the summer holiday, the first task was likely sifting through the emails that arrived in the inbox over the break. So it was that Fry Up discovered that the contact-tracing card trial in Ngongotahā, Rotorua late last year was a success—according to the Australian vendor that developed the tech.

The card trial, which is intended for those without access to the smartphone contact-tracing app, was developed by Safedome in Australia with a technology called Contact Harald (named after Harald Bluetooth, the 10th century Danish king who has lent his name to the short-range wireless technology). “A report on the results will be going to ministers next month and then next steps will be determined,” said a Ministry of Health spokesperson. The final costs of the pilot are yet to be determined.

Tech knight anointed

Huge congratulations to Sir Ian Taylor, founder of Animation Research Limited, who was recognised in the New Year Honours list and is to be a knight companion of the New Zealand Order of Merit.

We don’t get a lot of tech knights in Aotearoa New Zealand—and although the official citation is for “services to broadcasting, business, and the community”, the tech community has always claimed him.

Taylor (or should that be Sir Ian?) has been successful because he did what all successful tech entrepreneurs do: solved a problem. In his case, it was how to make the Americas Cup understandable to people onshore, which is most of us. ARL has pioneered real-time 3D graphics for sports events globally, while Taylor himself has given huge amounts of his time back to the community. His current focus on the initiative Tech for Good, which is developing tech tools for use in education and healthcare.


Copyright © 2021 IDG Communications, Inc.

Shop Tech Products at Amazon