BNZ's mobile banking services crashed on Wednesday morning due to an internal systems issue, with many customers unable to access their bank accounts.
The bank's mobile application was unavailable from approximately 10am until 12:30pm, leaving thousands of customers unable to check balances, make payments, or conduct routine banking transactions. BNZ attributed the outage to an internal systems issue but would not confirm whether the disruption was connected to the wave of DDoS attacks that had been targeting New Zealand organisations in previous days.
The Government Communications Security Bureau (GCSB) and New Zealand's Five Eyes intelligence partners were already investigating the broader wave of DDoS attacks that had brought down the New Zealand Exchange (NZX) and targeted other high-profile organisations including MetService, Westpac, stuff.co.nz, and Radio NZ. The timing of the BNZ outage, coming in the midst of this sustained campaign, raised inevitable questions about whether the two events were related.
Jonathan Sharrock, a senior cyber security expert at Cyber Citadel, noted that a "smokescreen" effect is common during sustained DDoS campaigns. When attackers target an organisation, the impact is not always confined to the intended victim. Companies that share network infrastructure, telecommunications providers, or data centres with the targeted organisation can experience collateral disruption as the malicious traffic congests shared resources.
"There is disruption going on," Sharrock explained. "When a major DDoS attack hits, the resources of the telecommunications providers and network infrastructure operators are diverted to managing the crisis. That means other organisations on the same network may experience degraded service or outages, even if they are not the direct target of the attack."
Sharrock described the cascading nature of DDoS disruption: as security teams and network operators rush to respond to one fire, others start breaking out. "You are trying to put out that fire and there is another one starting," he said. "The attackers know this. They know that a sustained campaign creates confusion and stretches resources thin. While everyone is focused on the DDoS, there may be other, quieter intrusions happening that go unnoticed."
"You are trying to put out that fire and there is another one starting." — Jonathan Sharrock, Cyber Citadel
The BNZ outage, whether directly linked to the DDoS campaign or not, highlighted the fragility of interconnected digital infrastructure. When critical services such as banking, media, and financial markets are disrupted in close succession, public confidence in the security and reliability of digital systems is eroded. For organisations across New Zealand, the events of late August and early September 2020 served as a powerful reminder that cyber resilience is not just a technical concern — it is a matter of national infrastructure security.
Published in Stuff — 2 September 2020.