The European Central Bank (ECB) confirmed Thursday that it had been hit by a cyberattack that involved attackers injecting malware into one of its websites and potentially stealing contact information of its newsletter subscribers.
Headquartered in Germany, the European Central Bank (ECB) is the central bank of the 19 European Union countries which have adopted the euro and is itself responsible for supervising the data protection practices of the banking system across these countries.
In an official statement published Thursday, the ECB said unknown “unauthorized parties” had managed to breach its Banks’ Integrated Reporting Dictionary (BIRD) website, which was hosted by a third-party provider, eventually forcing the bank to shut down the site.
Launched in 2015, BIRD is a joint initiative of the Eurosystem to the euro zone’s central banks and the banking system, which provides banks with a precise description of the data that aims to help reporting agents efficiently organize information stored in their internal systems and fulfill their reporting requirements.
At the time of writing, the BIRD website displays a page informing visitors that the site is down for maintenance at the moment and will be back online shortly.
However, it doesn’t mention anything about the security incident.
The BIRD website appears to have been hacked several months ago on December 2018, according to a Reuters report, but the ECB discovered the breach just late last week during regular maintenance work.
Unknown hackers managed to install malware onto the external server hosting the BIRD website to host software for phishing attacks, which may have allowed them to walk away with the email addresses, names and position titles of 481 subscribers of the site.
No internal ECB systems or market-sensitive data was compromised, according to the ECB statement, which also added that “we have informed the European Data Protection Supervisor about the breach.”
Tom Draper, the technology and cyber practice leader at risk management outfit Gallagher, said that the attack on the ECB appears to have been caused by a breach of a vendor’s server.
“Similar to the Capital One breach earlier this summer,” Draper continued, “this further demonstrates the exposures associated with third parties outside of a company’s security team.”
The ECB also suffered a data breach in 2014. In a statement published July 24, 2014, the ECB said that a database serving its public website had been hacked.
That statement confirmed “an anonymous email was sent to the ECB seeking financial compensation for the data. While most of the data were encrypted, parts of the database included email addresses, some street addresses and phone numbers that were not encrypted.
The database also contains data on downloads from the ECB website in encrypted form.”
Then, as now, the official statement signed off by insisting: “The ECB takes data security extremely seriously.” A tagline that is becoming all too familiar across many industry sectors as breach after breach hits the headlines.
Two breaches in five years don’t convince me that enough is being done to take that security seriously enough, especially considering the organization that has been targeted.
If you are one of those affected users, you are advised to beware of phishing emails and follow standard security practices while browsing online.
This is not the very first time when the European Central Bank has been hit by a security breach.
The attacks on banks have been increased in recent years, but till now, the central bank of Bangladesh experienced the world’s biggest cyberattack that took place in 2016 when cybercriminals successfully stole $81 million from the country’s central bank account at the New York Fed while attempting to transfer $951 million.