The European Central Bank (ECB) has confirmed that it has suffered a breach that involved attackers injecting malware and led to a potential loss of data.
In a statement published August 15, the ECB confirmed that “unauthorized parties” had succeeded in breaching the security of its Banks’ Integrated Reporting Dictionary (BIRD) website. The site, hosted by an external provider, appears to have been attacked in December 2018, according to a Reuters report. The breach was discovered months later as routine maintenance work was being undertaken.
“The BIRD website provides the banking industry with details on how to produce statistical and supervisory reports,” the ECB statement said, “it is physically separate from any other external and internal ECB systems.”
In confirming that it had closed down the BIRD site until further notice, the ECB statement also revealed that the personal data of some subscribers to the BIRD newsletter “may have been captured.”
That data, affecting 481 subscribers, included names, position titles and email addresses but not passwords, according to the ECB which is contacting people whose data may have been compromised.
The ECB launched a test that simulates cyber-attacks on banks back in 2018 as a means of creating a single framework for testing financial organization cyber-resilience, which makes the fact that the attackers appear to have succeeded in injecting malware, to aid phishing activity, onto the server somewhat concerning.
No internal ECB systems or market-sensitive data was compromised, according to the ECB statement, which also added that “we have informed the European Data Protection Supervisor about the breach.”
Tom Draper, the technology and cyber practice leader at risk management outfit Gallagher, said that the attack on the ECB appears to have been caused by a breach of a vendor’s server. “Similar to the Capital One breach earlier this summer,” Draper continued, “this further demonstrates the exposures associated with third parties outside of a company’s security team.”
The ECB also suffered a data breach in 2014. In a statement published July 24, 2014, the ECB said that a database serving its public website had been hacked. That statement confirmed “an anonymous email was sent to the ECB seeking financial compensation for the data. While most of the data were encrypted, parts of the database included email addresses, some street addresses and phone numbers that were not encrypted. The database also contains data on downloads from the ECB website in encrypted form.”
Then, as now, the official statement signed off by insisting: “The European Central Bank takes data security extremely seriously.” A tagline that is becoming all too familiar across many industry sectors as breach after breach hits the headlines. Two breaches in five years don’t convince me that enough is being done to take that security seriously enough, especially considering the organization that has been targeted.