The Reserve Bank of New Zealand (RBNZ) calculates the final cost of its response to a cyber attack in December will be around $NZ3.5 million ($3.27 million) and says it was “over reliant” on file transfer system provider Accellion to alert it to vulnerabilities.

The estimate comes as the RBNZ releases findings from KPMG on the data breach and the handling of sensitive information by the RBNZ, which Governor Adrian Orr says “takes full responsibility for our shortfalls identified”.

“We were over reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system,” Mr Orr said. “Their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning.”

On Christmas day last year, the central bank was one of a number of victims of a cyber-attack on Accellion, a third-party application it used to share and store information. KPMG performed an independent review to identify areas for procedural improvement.

KPMG found the December hack exposed more RBNZ information than it should have because use of the Accellion system by the central bank “was not limited to secure file transfers as intended”.

“Working practices evolved over time to the point where the system was also used as an information repository and collaboration tool, which was not in adherence with the Bank’s 2014 guidelines on acceptable use of the system,” KPMG said. “Adherence would have significantly reduced the volume of information at risk."

Mr Orr says the Bank accepts the findings and is implementing the recommendations.

“If these practices were in place at the time of the illegal beach the impact would have been less,” Mr Orr said. “I am disappointed about the incident and the impact it has had on people, including our own team. I am confident, however, that we have responded with urgency, precision, and care.”