In a first since new privacy laws were passed last year, the Privacy Commissioner on Wednesday issued a compliance notice to the Reserve Bank of New Zealand.
The notice was triggered by a cyber-attack on December 25, 2020. The attack led to the illegal access of sensitive information stored in a third-party file sharing service used by the Bank.
An independent report by KPMG identified shortfalls in the Bank’s cyber security practices in May.
Reserve Bank Governor Adrian Orr accepted the shortcomings and said the Bank would implement the report’s recommendations.
The compliance notice requires the organisation to take action in order to comply with the Privacy Act. Failing to do so can lead to a $10,000 fine.
Privacy Commissioner John Edwards said the cyber-attack “raised the possibility of systemic weakness in the Bank’s systems” when protecting personal information.
“We are heartened by the speed and thoroughness of the Bank’s response,” Edwards said.
“We were notified as soon as the cyber-attack was identified, and they have been constructive and open throughout the compliance investigation process.
“We are pleased to see the positive way they’ve dealt with the aftermath of the attack.”
He said the compliance notice gives the Bank a “template” to continue the improvement of its policies and procedures.
Orr accepted the Privacy Commissioner’s findings.
“We accept these findings and take full responsibility for the shortfalls identified in our systems and processes.
“We have a detailed programme of work underway to address these.”