In a press release published on its website on Thursday morning, the bank said that an unidentified hacker had been able to compromise a database serving its public website, with this leading to the theft to around 20,000 email addresses and other contact data – such as telephone numbers and postal addresses. The contact details were of people who had registered for events at the ECB.
No internal systems were compromised, or market sensitive data stolen – and this was down in part to the ECB website database being “physically separate” from internal ECB systems.
The ECB was alerted to the breach by an anonymous email from the hacker, who was demanding financial compensation in return for the data, some of which – including street names and phone numbers – was not encrypted.
The bank said that it would be contacting those people affected by the breach, and added that all passwords on the system have been changed as a precaution.
“The ECB takes data security extremely seriously. German police have been informed of the theft and an investigation has started. ECB data security experts have addressed the vulnerability,” reads the sttement.
A number of information security professionals spoke to SCMagazineUK.com after the event, with many suspecting that the attack was not advanced and more likely an SQL injection attack against a database probably “run by a marketing team” and not subject “to the same rigour of testing as more sensitive parts of the bank”.
Keith Bird, MD for security specialist Check Point, said that the incident was a sign that banks are increasingly losing data to the hands of ‘enterprising' cyber-criminals, pointing to some of the company's own statistics.
“This attack highlights how even high profile organisations with robust defences, can fall victim to enterprising cyber-criminals. The European Central Bank was clearly unaware it had been infiltrated as it first came aware when the attackers issued a ransom for the data they had obtained.
“In 2013 we did in-depth security audits at 150 financial organisations worldwide, and found that 88 percent had experienced a data loss incident in 2013, up from 61 percent in 2012. With the pace of attacks increasing it highlights the need for multiple layers of defence, including encryption for all data, to mitigate the risks of intrusion and data theft.”
Antti Tikkanen, director of security response at antivirus vendor F-Secure, said that the ECB had reacted quickly to the incident and praised the network segregation.
“I think the ECB came out with quite a clear statement on what has happened, and explained what kind of data was lost. In general, the best option is not to store any data you fear you might lose. If you can't do that, then encrypt it. Sometimes all data simply can't be encrypted because of the way it's used. If only customer contact data was lost, they did a better job than average with segregation."
Javvad Malik, a security analyst at 451 Group, agreed, adding to SC in an email: “It's been a quick response and they've done all the right things from a PR perspective - acknowledged the breach, contacted authorities, given assurance that it was of limited scope and that they are working with law enforcement to track down the culprits."
The analyst added that banks should learn that ‘no data is necessarily trivial' – especially with cyber-criminals piecing various datasets together.
“The chemistry of data if you will comes into effect – just like how you can combine two inert elements to make an explosive one – you can take data and merge it with others to build a bigger picture. A criminal could take these records taken from ECB and compare them against details of users taken from the Adobe or eBay leak or Target – all of a sudden it starts to represent a bigger problem."