This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

European Central Bank loses personal records after data breach

Share this article:

The European Central Bank admitted today that its website was hacked and said that some email addresses and other contact information was stolen.

European Central Bank loses personal records after data breach
European Central Bank loses personal records after data breach

In a press release published on its website on Thursday morning, the bank said that an unidentified hacker had been able to compromise a database serving its public website, with this leading to the theft to around 20,000 email addresses and other contact data – such as telephone numbers and postal addresses. The contact details were of people who had registered for events at the ECB.

No internal systems were compromised, or market sensitive data stolen – and this was down in part to the ECB website database being “physically separate” from internal ECB systems.

The ECB was alerted to the breach by an anonymous email from the hacker, who was demanding financial compensation in return for the data, some of which – including street names and phone numbers – was not encrypted.

The bank said that it would be contacting those people affected by the breach, and added that all passwords on the system have been changed as a precaution.

“The ECB takes data security extremely seriously. German police have been informed of the theft and an investigation has started. ECB data security experts have addressed the vulnerability,” reads the sttement.

A number of information security professionals spoke to SCMagazineUK.com after the event, with many suspecting that the attack was not advanced and more likely an SQL injection attack against a database probably “run by a marketing team” and not subject “to the same rigour of testing as more sensitive parts of the bank”.

Keith Bird, MD for security specialist Check Point, said that the incident was a sign that banks are increasingly losing data to the hands of ‘enterprising' cyber-criminals, pointing to some of the company's own statistics.

“This attack highlights how even high profile organisations with robust defences, can fall victim to enterprising cyber-criminals.  The European Central Bank was clearly unaware it had been infiltrated as it first came aware when the attackers issued a ransom for the data they had obtained.  

“In 2013 we did in-depth security audits at 150 financial organisations worldwide, and found that 88 percent had experienced a data loss incident in 2013, up from 61 percent in 2012.  With the pace of attacks increasing it highlights the need for multiple layers of defence, including encryption for all data, to mitigate the risks of intrusion and data theft.”

Antti Tikkanen, director of security response at antivirus vendor F-Secure, said that the ECB had reacted quickly to the incident and praised the network segregation.

“I think the ECB came out with quite a clear statement on what has happened, and explained what kind of data was lost. In general, the best option is not to store any data you fear you might lose. If you can't do that, then encrypt it. Sometimes all data simply can't be encrypted because of the way it's used. If only customer contact data was lost, they did a better job than average with segregation."

Javvad Malik, a security analyst at 451 Group, agreed, adding to SC in an email: “It's been a quick response and they've done all the right things from a PR perspective - acknowledged the breach, contacted authorities, given assurance that it was of limited scope and that they are working with law enforcement to track down the culprits."

The analyst added that banks should learn that ‘no data is necessarily trivial' – especially with cyber-criminals piecing various datasets together.

“The chemistry of data if you will comes into effect – just like how you can combine two inert elements to make an explosive one – you can take data and merge it with others to build a bigger picture. A criminal could take these records taken from ECB and compare them against details of users taken from the Adobe or eBay leak or Target – all of a sudden it starts to represent a bigger problem."

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Home Depot card data breach undetected for four months

Home Depot card data breach undetected for four ...

The Home Depot card data breach may have continued for longer than the Target attack late last year, according to new reports.

Microsoft closes Trustworthy Computing as part of layoff strategy

Microsoft closes Trustworthy Computing as part of layoff ...

In a surprise move, Microsoft has effectively closed its Trustworthy Computing (TwC) Group as part of the loss of 2,100 jobs in a restructuring plan announced late last week.

More celebrity pictures revealed: Apple and FBI investigating

More celebrity pictures revealed: Apple and FBI investigating

Celebgate 2: a depressing weekend for some celebrities as more hacked pictures leaked from iCloud.