The European Central Bank (ECB) confirmed on Thursday that its Banks’ Integrated Reporting Dictionary (BIRD) website has been compromised by attackers and taken down until the situation is brought under control.
The compromise may have resulted in the attackers harvesting the email addresses, names and position titles of 481 subscribers to the BIRD newsletter, but not their passwords.
About the breach
The European Central Bank is responsible for the management of the euro and conducts monetary policy of the Eurozone.
The BIRD website, set up to provide the banking industry with details on how to produce statistical and supervisory reports, is hosted by an external provider and is physically separate from any other external and internal ECB systems, the Bank explained.
“The breach succeeded in injecting malware onto the external server to aid phishing activities. The external BIRD website has been closed down until further notice. Neither ECB internal systems nor market-sensitive data were affected.”
The ECB says that the breach came to light during regular maintenance work but, according to Reuters, it dates back to December 2018. Were it not for the maintenance work, who knows how much longer the compromise would have remained unnoticed.
The ECB has informed the European Data Protection Supervisor about the breach and has notified the individuals whose information was compromised.
While the information is not that sensitive and can surely be easily collected from various organizations’ websites, a list such as this one is a perfect ready-made asset for spear-phishing attempts.
In fact, the 2014 breach of one of ECB’s databases serving its public website resulted in the theft of similar information. The ostensible goal of those attackers was to hold the stolen data ransom.