The European Central Bank (ECB), the central bank of the 19 European countries which have adopted the euro, has shut down a compromised website after it discovered that hackers had planted malware that stole information from newsletter subscribers.
An ECB press release admits that subscribers to the Banks’ Integrated Reporting Dictionary (BIRD) newsletter had their email addresses and other contact details stolen after hackers successfully infected malware onto webpages on the BIRD website, which is hosted by an external provider.
Fortunately, the ECB claims that passwords were not stolen, and none of the bank’s internal systems were compromised or market-sensitive data was affected.
A cheery message on the BIRD website currently tells visitors that site is currently down for maintenance, but makes no mention of the security breach.
We’ll be back soon!
Sorry for the inconvenience but we’re performing some maintenance at the moment. If you need to you can always contact us, otherwise we’ll be back online shortly!
— The BIRD Team
The ECB press release, however, confirms that 481 subscribers to the BIRD newsletter may have had their contact details stolen. That’s obviously far far far from the biggest data breach that has even been seen, but the nature of the particular victims underlines that even a “small” data breach can be important.
It’s obviously a relief to hear that passwords weren’t stolen, as that could have meant things which were much more serious (especially as so many people make the mistake of reusing the same password in multiple places).
But a breach like this is still serious. Criminals who have accessed the contact details of subscribers could use it in criminal attacks, perhaps through targeting users with malware or phishing scams, or potentially by attempting to defraud companies through business email compromise attacks.
Disappointingly, the ECB’s advisory doesn’t say if affected parties are being contacted to warn of the security breach, or offer any indication of how long the security problem may have existed. However, this Reuters report claims that the earliest evidence found of a website compromise dates back to December 2018, and that victims are being informed.
Anyone affected needs to be wary of unsolicited emails and clicking on links that may attempt to compromise their computers or steal further information from them.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.