The European Central Bank (the ECB) announced on Thursday the 24th of July that its website was the victim of a cyber-attack resulting in the security of the site being compromised. The attack resulted in a breach of the security for a database serving its public website. The database is used for individuals to register for conferences, events, and visits hosted by the organisation. The ECB stated that while most of the database was encrypted, some of the database held contact details such as email addresses, phone numbers, and addresses in unencrypted format. The ECB believes that approximately 20,000 people who had registered with the bank's website are affected by the breach.
In the statement released by the ECB it states it was unaware of the attack until it was contact by an anonymous party claiming to be behind the attack. The anonymous contact then proceeded to try to extort the bank, threatening to publish the compromised data unless the bank met their demands. The ECB refused to meet the demands and is in the process of contacting the individuals affected and resetting the passwords for all users on the system
According to the ECB's website it "is responsible for the prudential supervision of credit institutions located in the euro area and participating non-euro area Member States, within the Single Supervisory Mechanism, which also comprises the national competent authorities." While the ECB states no market data or internal systems were compromised by the breach it is no doubt embarrassing for an institution of this stature to become victim to such an attack.
The ECB have assured all those affected that its security experts have identified and addressed the vulnerability that led to the compromise. The ECB is also working with German police to try and track down those responsible for the attack.
Some interesting lessons can be learnt from this breach for other organisations;
- Once again the importance of monitoring systems for potential breaches has been highlighted. It is interesting to note the ECB were not aware of the attack until they were contacted by the anonymous person claiming to be behind the attack. Until then the ECB's system, and the personal data entrusted to the ECB by those visiting the site, continued to be vulnerable and at risk. So the key takeaway from this breach is to ensure that your log monitoring and alerting solution is comprehensive, covers all key systems, and that it is effective.
- You should regularly review your log monitoring and alerting systems to make sure they are attuned to your particular environment. Conducting this exercise in line with any vulnerability management or penetration testing exercises can help highlight where there are such weakness.
- Those behind the attack tried to monetise the data as quickly as possible by using extortion to demand payment or the data would be published. This is a trend we are seeing becoming more popular with criminals demanding payment to refrain from launching DDoS attacks against as website, or publicising compromised data. This ploy should be included in every organisation's incident response play book to make sure the organisation has a documented and tested response to extortion based attacks.
- Post the attack the ECB's security experts were able to identify and address the vulnerability. From the reports it is not clear what the vulnerability was, but the issue highlights how important effective and regular vulnerability testing, augmented by penetration tests, can help identify and address issues before others do.
The ECB are working closely with the the police to try and bring those behind the attack to justice. As an organisation tasked with providing oversight to the European Union's banking systems, and the security of same, this episode will no doubt be an embarrassing one.