European Central Bank Closes a Website Following HackMalware Found; Personal Data Apparently Exposed
The European Central Bank has closed one of its websites after its IT staff found that a hacker compromised some personal information on the site and also planted malware.
About 480 site users apparently had their information exposed, the bank said in a statement. And while the attackers did not access passwords, it appears that email addresses, names and job titles were exposed and possibly stolen, the bank reports.
The affected website, which is known as the Bank Integrated Reporting Dictionary, or BIRD, is hosted by an outside provider and is not physically connected to the rest of the central bank's systems, the bank says. The site provides the European banking industry with details on how to produce statistical and supervisory reports.
The central bank says the site will remain closed indefinitely. A spokesperson for the central bank did not reply to a request for further comment.
No other internal central bank systems or market data was affected in this attack, according to the statement. Investigators determined, however, that the hacker managed to plant malware on an external server that supports the compromised site as a result of what appears to be a phishing attack, the bank reports. The malware was found during routine maintenance work within IT systems, according to the statement.
The European Central Bank has notified the European Data Protection Supervisor, which is the main consumer privacy advocate for Europe, about the incident.
It's not clear what type of company hosted the BIRD site.
It's these types of third-party services, however, where businesses and other organizations tend to have the most issues when it comes to ensuring good cybersecurity, says Steve Durbin, the managing director of the London-based Information Security Forum.
Durbin notes Delta Airlines recently filed a lawsuit against 7.ai, a service that provides online customer chat for websites. Attackers apparently took advantage of weaknesses in the third-party service to steal customer data from Delta in 2017.
And while it's easy to blame third parties, the responsibility for security lapses rests with the organization whose data has been compromised, Durbin says.
"The way we run our businesses today increasingly requires us to work with third parties - whether they be cloud providers, technology vendors or specialist organizations," Durbin says. "But the responsibility for ensuring the confidentiality, integrity and indeed availability of the information running on systems supported by those third parties remains ours."
In recent years, the European Central Bank has been hit by several cyberattacks.
In 2014, its main consumer-facing website was hit by an attack in which contact information for event registrants was stolen. The breach only came to light when a hacker attempted to obtain a ransom to return stolen data (see: European Central Bank Breached).
But other central banks have been bit by much more lucrative malicious campaigns.
For example, attackers hit Bangladesh Bank in 2016, using fraudulent messages through the SWIFT inter-bank messaging system to steal $101 million, of which $81 million remains missing (see: Bangladesh Bank Sues to Recover Funds After Cyber Heist).