The European Central Bank (ECB) announced on Thursday that unknown hackers recently infiltrated one of its websites and stole names, addresses, and position titles of 481 subscribers of its Banks' Integrated Reporting Dictionary (BIRD) newsletter.
In a press release, ECB said that hackers infiltrated the BIRD website after injecting a malware onto the external server to aid phishing activities. It is unclear when exactly the intrusion took place but ECB claims that the breach was detected during regular maintenance work.
Fortunately, the BIRD website is physically separate from other external or internal ECB systems and therefore, its breach did not impact the organisations' IT infrastructure. The website was managed by a vendor and was used to provide the banking industry with details on how to produce statistical and supervisory reports. Following the discovery of the breach, ECB has shut the website down until further notice to take corrective measures.
"The breach and its consequences are minuscule compared to most of the other breaches that have occurred in 2019. However, the nature of the breach and the time it took to detect it are quite alarming. The question is how many more breaches of ECB and its externalized systems have not yet been discovered, and what will the impact be?" asked Ilia Kolochenko, founder and CEO of ImmuniWeb.
Error by third-party vendor impacting security credentials of ECB
"Third-parties with unknown volumes of sensitive data are the Achilles’ Heel of holistic cybersecurity. Organisations should ensure comprehensive visibility and up-to-date inventory of their digital assets, as you cannot protect what you are can’t see.
"Third-party risk management including verification of how do they enforce applicable data protection policies is another vital though widely ignored task. Finally, a continuous security monitoring should be implemented for all public-facing web applications hosted internally, externally or in the cloud," he added.
In October last year, the Financial Conduct Authority (FCA) issued a fine of £16,400,000 to Tesco Bank for failing to prevent a data breach in November 2016 that resulted in the loss of £2.26 million of customers' money.
The financial watchdog said in a statement that deficiencies in Tesco Bank's design of its debit card, in its financial crime controls, and in its Financial Crime Operations Team as well as a series of errors committed by the bank after the breach was detected resulted in customers losing millions.
The FCA concluded that because of such errors, the breach caused inconvenience and distress to a large proportion of Tesco Bank’s debit card customers, resulted in 668 unpaid direct debits on customers’ accounts, stopped customers from carrying out their banking activities for over 48 hours, and also resulted in hackers netting £2.26 million from Tesco Bank’s personal customer accounts.