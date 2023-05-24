The Reserve Bank had long fought to keep secret whether it paid a ransom, but that suddenly changed on Wednesday.

The Reserve Bank has finally confirmed, more than two years after first being asked and six months into an ongoing Ombudsman’s investigation, that it did not pay a ransom after it was hacked in 2020.

A large amount of information supplied to the Reserve Bank by commercial banks was compromised in 2020, after hackers discovered a security hole in a commercial software system, called Accellion, which the central bank used to receive information.

But up until Wednesday, the Reserve Bank had declined to say whether it had paid off the hackers to dissuade them from dumping the stolen information online.

The bank rejected an official information act request for information on whether it paid a ransom last year and up until this week had also been seeking to dissuade the Office of the Ombudsman from forcing it to reveal whether a ransom was paid.

But a spokesperson said on Wednesday that it did not pay a ransom and had “followed advice which was consistent with recently-published government guidance on cyber-ransom payments”.

Minister for Digital Economy and Communications Ginny Andersen said last month that the Government’s “strong recommendation” was that victims of ransomware attacks should not pay ransoms, which appeared consistent with its previous messaging.

Reserve Bank governor Adrian Orr said the bank had been following advice from the Government on “whether we do or don’t talk about paying a ransom” and he said that advice had changed.

It had issued its statement on Wednesday because of a report in The Post, he said.

That report revealed that the bank had been seeking to prevent information on whether it paid a ransom from being released.