New Zealand’s Privacy Commissioner issued its first compliance notice to the Reserve Bank.
The notice follows an online attack on the bank’s systems in December 2020.
While the notice makes sense, a press release from the Commissioner’s office reads more bureaucratic procedure than a public shaming.
The Reserve Bank breach happened when software which claims to be secure enough to move confidential information between banks was compromised.
Reports suggest other organisations caught up in the same attack paid ransoms to the attackers. We don’t know if the Reserve Bank paid up.
The attack breached the Reserve Bank’s security systems. As John Edwards, the Privacy Commissioner says, it “raised the possibility of systemic weakness in the Bank’s systems and processes for protecting personal information.”
A review of the Bank’s systems uncovered many areas where it has not complied with the Privacy Act’s Principal 5. This says agencies that hold personal information must have reasonable safeguards in place to protect personal privacy.
Yet, the press release from the Privacy Commissioner quotes Edwards saying: “We are heartened by the speed and thoroughness of the Bank’s response. We were notified as soon as the cyber-attack was identified, and they have been constructive and open throughout the compliance investigation process. We are pleased to see the positive way they’ve dealt with the aftermath of the attack.”
In other words, it was sloppy but ended up doing the right thing.
The press release quotes Reserve Bank governor Adrian Orr attempting unconvincing damage limitation.
Yet the whole point of the Act is to pre-empt online attacks. Organisations like the Reserve Bank should have robust protections in place before any private information is put at risk.
While the notice is real enough, this first one is something of a practice run for dealing with future compliance failures.