The bank is currently liaising with organisations whose data was lifted during the breach in December and has appointed external legal advisers to providing assurance checks and advice on any personal information which was included in the downloaded files.

The malicious attack stemmed from a service provided by Accellion called FTA (File Transfer Application), used by the Bank to share and store some sensitive information.

“We had no warning to avoid the attack which began in mid-December. Accellion failed to notify the Bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach," says Orr. “If we were notified at the appropriate time, we could have patched the system and avoided the breach. Our own analysis has identified shortcomings in our processes once the system was breached. The impact this had is part of the review underway.”

Orr says a forensic and criminal investigations into the breach is ongoing, as well as an independent KPMG review of the Bank’s systems and processes.

“For security reasons, we can’t provide specific details about the number of files downloaded, or information they contain. We have been in regular communication with all organisations who have had files illegally downloaded."

The Australian Securities and Investments Commission (Asic) also suffered a cyber security breach related to its use of the Accellion file sharing software. The incident, which involved unauthorised access to a server which contained documents associated with recent Australian credit licence applications, was only uincovered on 15 January.