New Zealand’s biggest data breach, which affected almost 1 million people, has highlighted the importance of data retention policies in data security. The breach occurred at the financial services company, Accellion, which was used by the New Zealand Reserve Bank to transfer files.
Accellion, a California-based company, had notified its customers of a security incident on December 23, 2020, in which an unauthorized person gained access to one of its legacy products, known as FTA. This allowed the attacker to access a number of Accellion’s clients, including the New Zealand Reserve Bank.
The Reserve Bank initially stated that no sensitive information was taken in the breach, but later announced that the attacker had access to personal information, including names, email addresses, and other sensitive information, of almost 1 million individuals.
The incident highlights the importance of data retention policies in data security. Retention policies determine how long an organization holds onto personal information and when it is destroyed. In the case of the Reserve Bank, it is not clear why personal information was being stored on a third-party platform such as Accellion’s FTA, and why it was not deleted after it was no longer needed.
Data retention policies are an essential aspect of data security, as they can help organizations manage their data more effectively and reduce the risk of data breaches. By having clear and effective data retention policies, organizations can minimize the amount of personal information they hold, and ensure that it is securely destroyed when it is no longer needed.
The Reserve Bank has since launched an investigation into the breach, and has also suspended its use of Accellion’s FTA product. The incident has also prompted other organizations to review their own data retention policies and assess their third-party suppliers.
In conclusion, the New Zealand Reserve Bank’s data breach highlights the importance of data retention policies in data security. By having clear and effective data retention policies, organizations can minimize the amount of personal information they hold, and ensure that it is securely destroyed when it is no longer needed. The incident should serve as a reminder to all organizations to regularly review their data retention policies and ensure they are following best practices in data security.