The Reserve Bank of New Zealand says an investigation into the cyberattack that hacked its data systems this week revealed it was dealing with a significant data breach.
The breach was announced earlier this week and RBNZ said a file sharing service provided by California-based Accellion was illegally accessed.
"The ongoing investigation makes it clear that the breach is serious and has significant data implication," governor Adrian Orr said in video statement released to the media.
"While a malicious third party has committed the crime, and we believe service provisions have fallen short of our agreement, the bank has also fallen short of the standards expected by our stakeholders," Orr said in an accompanying written statement.
"Personally, I own this issue and I am disappointed and sorry," Orr said.
Accellion has said in its media responses that it was made aware of the vulnerability in mid-December and released a patch within 72 hours to the less than 50 customers affected.
The system that was breached has been secured and closed, and New Zealand's financial system remains sound and open for business, RBNZ said.
Apart from the forensic cyber investigation underway, the bank also appointed an independent third party to undertake a review of the incident.
Orr said he could not provide any further details as it could adversely affect the investigation and the steps being taken to mitigate the breach.
The breach comes just months after New Zealand's stock exchange operator was targeted in a series of distributed denial of service attacks that overwhelmed its website, preventing trading for several days.
Australian Associated Press