It seems that no organisation, large or small is safe. The European Central Bank (ECB) has been hacked, with attackers stealing email addresses and contact data from the organisation’s public website.
In a statement, the bank said that no internal systems or market sensitive data were
compromised. “The database serves parts of the ECB website that gather registrations for events such as ECB conferences and visits. It is physically separate from any internal ECB systems.”
The bank says that “most” of the stolen data was encrypted, but that parts of the databases including email addresses, some street addresses and phone numbers were stored in plaintext. Also stolen, in encrypted form, was “data on downloads from the ECB website”.
The break-in was only discovered when the thief emailed the bank to ask for financial compensation for the data. The bank is contacting all people whose email addresses or other data may have been compromised.
In March 2014, Russia’s central bank fell prey to a different hacking attack, with a denial of service attack causing the site to stumble under the weight of traffic. That attack came in the run up to its quarterly interest rate decision.
A separate denial of service attack took down China’s central bank in December 2013. The attack was widely pinned on bitcoin advocates, angry at the country’s attempts to clamp down on the cryptocurrency.
“The ECB breach is the latest in a long line of high profile attacks against financial targets. The motivation for this attack seems to be financial gain via ransom; the target was an innocuous web site used for managing event information. Not all data was encrypted such as email, telephone and address’s being stored in plain text,” explains Will Semple, VP of research and intelligence, Alert Logic.
“This is also a good example in the underlying problem facing organisations trying to manage ‘Cyber’ issues. The traditional risk based approach of security assessment and control design will allow for a low level/low value web site to be built without protections such as data encryption at rest and in transit. If we take a Threat based approach to the same question we get a radically different answer,” he continues.
“Factor in reputation damage and market confidence impact due to a low level attack and you start to design for Cyber Resiliency against Threat rather than ‘acceptable risk’.
A Threat based approach could conceivably have mitigated this issue for the ECB and the resulting fall out.”