News broke today that the European Central Bank (ECB) had been hacked, and sensitive information had been stolen and was available for “purchase”.
A source told IT Security Guru that some personal data was unencrypted and stored in plain text, while other news sources claimed that the attacker was prepared to sell the data for the right fee. The affected database held about 20,000 email addresses and a smaller number of postal addresses and phone numbers, which the ECB said was kept physically separate from internal systems. Here is what the industry had to say about this story.
Charles Sweeney, CEO, Bloxx
Whilst personal information from an event database might not, for obvious reasons, be deemed to be as important as sensitive market data, theft of this personal information is still a concern. A professional hacker doesn’t need much more than a name, address and date of birth in order to defraud a person and assume their identity.
This data might not rank as highly in terms of sensitivity to the wider market place and the ECB itself, but to the individuals that could be potentially be impacted, it is most definitely of concern and underlines the need for all, not just some, data to be robustly protected.
Tim Erlin, director of security and risk at Tripwire
It’s been a tough week for European banks with regard to cyber security. Unless we’re missing some important facts, it makes little sense for the ECB to pay a hacker money in this circumstance, as there’s no guarantee that he won’t also sell access to the data in addition to getting the ransom. Data isn’t the same as a physical object or person.
It’s copied, not stolen. The more typical data ransom scenario involves preventing access to a user’s data via encryption, then selling them the keys to decrypt it. There’s no indication here that the ECB has lost access to this data.
Will Semple, VP of research and intelligence for Alert Logic
The ECB breach is the latest in a long line of high profile attacks against financial targets. The motivation for this attack seems to be financial gain via ransom; the target was an innocuous website used for managing event information. Not all data was encrypted such as email, telephone and address, while the ECB statement tries to reassure the public that this database was separate from market system
s (which is standard good practice).
The result of a breach is disproportional bad press and brand damage, and this is the outcome of the attack. It will be interesting to monitor the markets to see if this incident introduces confidence concerns in the ECB over the next few days.
Toyin Adelakun, VP of products for Sestus
Most large and high-profile organisations do take security precautions, but the issue of unknown unknowns bedevils every organisation, large and small. For that reason, in the security context, it is always beneficial to have frequent, regular and irregular penetration testing performed to make sure that as many as possible of your blind spots are uncovered.
Even better, have multiple or different pen testers address your websites and networks, so that you have a comprehensive view of the threats — and thus a comprehensive view of the necessary security counter-measures.
There will always be an arms-race aspect to the management of an organisation’s information security, as attackers are forever probing for vulnerabilities, known and unknown, zero-day and otherwise. Therefore, in addition to putting into place your well-considered defences, it makes sense, as part of a comprehensive security programme, to test those defences.
Jon French, security analyst at AppRiver
I assume they did the necessary and contacted police right away. After that I assume they deduced how and where the attackers got the data from and fixed the hole in their security. As for the ransom, hopefully no company gives in to these ransoms since that can only fuel future hacks to happen. Hackers will see the method works and it’s profitable.
It sounds like the impact is just personal information and not banking information fortunately. However, the individuals effected could be at a higher risk for things like fraud and phishing attacks. Having your personal information could make it easier for a spear phishing attack against you since an attacker showing they have some of your personal information already could be more convincing than just a random email. Likewise the attacker could just attempt to use the gained personal data and attempt to use it to commit fraud.
Keith Bird, MD for security specialist Check Point
This attack highlights how even high profile organisations with robust defences can fall victim to enterprising cyber criminals. The European Central Bank was clearly unaware it had been infiltrated as it first came aware when the attackers issued a ransom for the data they had obtained.
Jason Hart, VP Cloud Security at SafeNet
We’re seeing more and more cases of cyber criminals stealing unencrypted data and either selling it on the black market, or using it for cyber blackmail. Any data stored in a plain text state is easily readable and can be easily accessed by cyber criminals. So companies need to think about encrypting all customer data, both in storage and transit.
Only those companies that adopt a ‘secure breach’ approach, consisting of a combination of strong authentication, data encryption and key management, can be confident that data is useless should it fall into unauthorised hands.
The severity of the breach is minimised because password and financial data was encrypted. But the fact that the hackers were able to get their hands on email address and phone numbers is likely to have a significant impact on customer trust.