The European Central Bank (ECB) has been breached by cyber criminals for the second time in five years. The bank announced on Thursday (August 15) that one of its websites was hacked by an unauthorised entity, who then installed malware onto the site and stole the contact details of almost 500 subscribers.
An emailed statement released by the ECB, explains that hackers installed malware onto an external server that hosts the Banks’ Integrated Reporting Dictionary (BIRD). According to a Financial Times report, the hackers then used the database behind BIRD to host software for phishing attacks. The ECB said bad actors may have gained access to email addresses, names and position titles of 481 subscribers to the BIRD statistical newsletter, but that no passwords were taken.
The bank was also keen to stress that “neither ECB internal systems nor market-sensitive data were affected” by the breach, as the BIRD website is hosted externally and separately from the ECB’s main systems.
Commenting on the data breach, Tom Draper, technology & cyber practice leader at Gallagher, said: “From publicly available information, the cyberattack on the ECB appears to have been caused by a breach of a vendor’s server. Similar to the Capital One breach earlier this summer, this further demonstrates the exposures associated with third parties outside of a company’s security team.”
The ECB’s latest breach also highlights unexpected risks in the cyber supply chain. Earlier this year, international specialist insurer, Hiscox, released its Cyber Readiness Report 2019 in which the insurer analysed the widespread lack of visibility into third-party cyber risks.
Meghan Hannes, cyber product head for Hiscox in the US said: “Cyber risk in the supply chain needs to be taken more seriously. Companies need to audit third-party vendors to see what their cyber readiness posture is, check what their contracts look like, and to determine how everyone will respond in the event of a breach. There’s often a lot of uncertainty …”
Unfortunately for the ECB, this is not the first time one of its websites has been breached by hackers. Back in 2014, the Frankfurt-based bank announced a security breach on its public website, which led to the theft of email addresses and other personal contact details.
In its written statement, the institution said it “takes data security very seriously” and that it has informed the European Data Protection Supervisor about the incident.