European Central Bank confirms website hack and data breach

Graham Cluley
Graham Cluley
@[email protected]

European Central Bank confirms website hack and data breach

The European Central Bank (ECB), the central bank of the 19 European countries which have adopted the euro, has shut down a compromised website after it discovered that hackers had planted malware that stole information from newsletter subscribers.

An ECB press release admits that subscribers to the Banks’ Integrated Reporting Dictionary (BIRD) newsletter had their email addresses and other contact details stolen after hackers successfully infected malware onto webpages on the BIRD website, which is hosted by an external provider.

Fortunately, the ECB claims that passwords were not stolen, and none of the bank’s internal systems were compromised or market-sensitive data was affected.

Sign up to our free newsletter.
Security news, advice, and tips.

A cheery message on the BIRD website currently tells visitors that site is currently down for maintenance, but makes no mention of the security breach.

Back soon

We’ll be back soon!
Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!

— The BIRD Team

The ECB press release, however, confirms that 481 subscribers to the BIRD newsletter may have had their contact details stolen. That’s obviously far far far from the biggest data breach that has even been seen, but the nature of the particular victims underlines that even a “small” data breach can be important.

It’s obviously a relief to hear that passwords weren’t stolen, as that could have meant things which were much more serious (especially as so many people make the mistake of reusing the same password in multiple places).

But a breach like this is still serious. Criminals who have accessed the contact details of subscribers could use it in criminal attacks, perhaps through targeting users with malware or phishing scams, or potentially by attempting to defraud companies through business email compromise attacks.

Disappointingly, the ECB’s advisory doesn’t say if affected parties are being contacted to warn of the security breach, or offer any indication of how long the security problem may have existed. However, this Reuters report claims that the earliest evidence found of a website compromise dates back to December 2018, and that victims are being informed.

Anyone affected needs to be wary of unsolicited emails and clicking on links that may attempt to compromise their computers or steal further information from them.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.