Reserve Bank of New Zealand Accellion FTA breach

On Christmas Day 2020, attackers breached the Reserve Bank of New Zealand (Te Pūtea Matua) by exploiting a zero-day vulnerability in the Accellion File Transfer Appliance (FTA), a legacy third-party tool the central bank used to share and store files with external partners. It became one of the most prominent victims of a global campaign against the ageing Accellion product.

What happened

The Accellion FTA was a roughly twenty-year-old file-transfer appliance that the Reserve Bank used for secure file transfer, storage, and collaboration — meaning a large volume of inbound and outbound information passed through it. In December 2020, attackers chained a set of zero-day vulnerabilities (CVE-2021-27101 through CVE-2021-27104) to gain access to FTA instances worldwide and exfiltrate the files they held.

Security vendor FireEye had warned Accellion as early as 16 December 2020 that the flaw was being actively exploited, and patches existed. But, according to a post-mortem by KPMG, Accellion's email alerting tool failed to send the notifications, so the Reserve Bank was not informed until 6 January 2021 — nearly two weeks after the 25 December intrusion.

Impact

The compromised system held commercially and personally sensitive information belonging to the Bank and its stakeholders.
The Bank could not immediately quantify exactly what had been taken, given the volume of data the FTA had handled.
Governor Adrian Orr publicly apologised, acknowledging the Bank had been let down by its supplier and by its own oversight of the legacy system.
The Reserve Bank estimated the total breach-response cost at around NZ$3.5 million, covering forensic investigation, the KPMG review, and remediation.

Attribution

The Reserve Bank was one of dozens of organisations worldwide — including government agencies, universities, and corporations — hit through the same Accellion FTA vulnerabilities. The broader campaign was widely linked by researchers to the financially motivated FIN11 group and the Clop extortion operation, which used the stolen data for leak-site extortion against other victims.

Why it matters

The breach is a textbook case of third-party and legacy-software risk. A central bank — an institution expected to hold the highest security standards — was compromised not through its core systems but through an end-of-life appliance from a single vendor whose own warning mechanism failed. It pushed New Zealand's public sector to accelerate the retirement of unsupported software, tighten supplier-assurance requirements, and treat third-party file-transfer tools as critical attack surface.

Timeline

December 16, 2020

Security vendor FireEye warns Accellion that a vulnerability in its File Transfer Appliance (FTA) is being actively exploited; a patch is available.

December 25, 2020

Attackers breach the Reserve Bank of New Zealand's Accellion FTA instance on Christmas Day.

January 6, 2021

The Reserve Bank is finally notified of the malicious activity, after Accellion's alerting tool fails to deliver warnings on time.

January 11, 2021

The Reserve Bank publicly discloses that a third-party file-sharing application has been illegally accessed.

January 14, 2021

Governor Adrian Orr publicly apologises and the Bank secures the system, with KPMG commissioned to conduct an independent review.

August 31, 2021

The Reserve Bank publishes its response, estimating the breach response cost at around NZ$3.5 million.

Sources

rbnz.govt.nzhttps://www.rbnz.govt.nz/hub/news/2021/05/reserve-bank-taking-action-to-respond-to-data-breach-reports

rbnz.govt.nzhttps://www.rbnz.govt.nz/about-us/corporate-publications/our-response-to-the-data-breach

itnews.com.auhttps://www.itnews.com.au/news/accellions-failure-to-warn-rbnz-of-exploited-bug-led-to-hack-565323

securityweek.comhttps://www.securityweek.com/new-zealand-central-bank-says-accellion-service-heart-cyberattack/

Related incidents

Vulnerability exploitContainedMay 9, 2026

765 users affected by claimed leak at Média31

On 9 May 2026, the threat actor AplaGroup claimed an intrusion into Média31, the online media-library platform of the Haute-Garonne departmental libraries (France), exposing data on roughly 765 users; the breach was confirmed on 21 May 2026.

Victim: Média31
Records: 765

Vulnerability exploitResolvedMay 2, 2024

City of Helsinki Education Division breach

An attacker exploited an unpatched vulnerability in a remote access server to breach the City of Helsinki's Education Division, exposing personal data of tens of thousands of students, guardians, and staff, plus sensitive welfare records.

Victim: City of Helsinki (Education Division)
Records: 120.0K

Vulnerability exploitResolvedAugust 8, 2023

UK Electoral Commission data breach

Chinese state-linked hackers exploited unpatched Microsoft Exchange ProxyShell flaws to dwell undetected in the UK Electoral Commission's systems for over a year, accessing electoral-register data on roughly 40 million voters.

Victim: UK Electoral Commission
Records: 40.0M

Vulnerability exploitResolvedJuly 24, 2023

Norwegian government Ivanti zero-day breach

Attackers exploited an Ivanti Endpoint Manager Mobile zero-day (CVE-2023-35078, CVSS 10.0) to breach a shared ICT platform used by 12 Norwegian government ministries, with exploitation traced back to at least April 2023.

Victim: Norwegian government (12 ministries)