The European Central Bank has a bit of a black eye with the public after revealing that hackers compromised its website and were able to abscond with 20,000 email addresses.
The ECB, which manages the the financial system across 18 Eurozone member states, said that the database that was lifted contained website form data, gathered when users fill out registrations for conferences, webinars and the like. Most of the information was encrypted, but the emails (and some addresses and phone numbers) were not.
The hackers anonymously alerted the bank via e-mail, asking a ransom for the data.
“It’s been a tough week for European banks with regard to cybersecurity,” said Tim Erlin, director of security and risk at Tripwire, in a comment to Infosecurity. “Unless we’re missing some important facts, it makes little sense for the ECB to pay a hacker money in this circumstance, as there’s no guarantee that he won’t also sell access to the data in addition to getting the ransom. Data isn’t the same as a physical object or person. It’s copied, not stolen. The more typical data ransom scenario involves preventing access to a user’s data via encryption, then selling them the keys to decrypt it. There’s no indication here that the ECB has lost access to this data.”
The ECB was quick to downplay the ramifications. "No internal systems or market sensitive data were compromised," it said in a statement.
However, there is quite a lot that hackers can do with 20,000 emails, including spamming, phishing, brute-forcing the accounts and testing them as credentials for other, more sensitive sites like online banking.
The bank has said little else about the incident, but noted that it has changed all passwords as a precaution, and that the database had no exposure to the bank’s internal systems. The cybercrime unit of the Frankfurt police, where the bank is located, is investigating the case.