Breaches in third party software or service providers in any industry pose a security threat for all their customers. Many times, threat actors can use vulnerabilities in third-party applications to target companies that fail to apply patches. The patch was released 72 hours after the vulnerability was disclosed and it is unclear if the bank updated its systems or if the attacker managed to exploit the vulnerability within the 72 hours. Whenever a system that is used by a company finds a vulnerability and pushes a patch to their customer, the system should be updated as soon as it is practical, after any required testing, to ensure the company is protecting themselves to the best of their ability. The type of information affected was not disclosed by the bank in order to not compromise the ongoing investigation, but they did state that commercially and personally sensitive information may have been accessed. Whenever someone is a client of a company that is the victim of an attack that includes breached data, proper precautions should take place. Since bank data was potentially taken in this case, affected parties should begin to watch their credit and bank accounts for fraudulent charges. People should also be aware of other scams that can be carried out after a breach such as phishing campaigns targeting victims.

More can be read here: https://securityaffairs.co/wordpress/113374/hacking/new-zealand-central-bank-attack-accellion.html?web_view=true

Sources: https://www.zdnet.com/article/phishing-warning-these-are-the-brands-most-likely-to-be-impersonated-by-crooks-so-stay-alert/