The European Central Bank (ECB) confirmed it suffered a breach that involved attackers injecting malware which led to a potential loss of data, and forced ECB to close down its Banks’ Integrated Reporting Dictionary (BIRD) website until further notice.
In an official statement, the ECB said unknown "unauthorized parties" had managed to breach its Banks' Integrated Reporting Dictionary website, which was hosted by a third-party provider, eventually forcing the bank to shut down the sitehttps://t.co/WjWYIptnDM
— Luka Milinković (@LukaMilinkovi1) August 19, 2019
While cyber attack simulations using red teams like the ones the European Central Bank deployed are good in theory, they are limited in scale and not nearly comprehensive enough to conduct a thorough assessment of third-party risk. Hacker-powered security, or crowd-sourced security, can provide that degree of scalability due to the number of hackers involved in continuous testing of an organization’s attack surface.
ECB’s statement claims only contact information was stolen, which almost seems tame in 2019. The scary part is that this breach happened in 2018 but was only recently noticed because of system maintenance. This isn’t that unexpected, though, as the average time for organisations to detect a breach is around 200 days, and around 160 days for the financial sector (which is the second best of all industries!). This just shows how much more difficult it is to handle security reactively than it is to be proactive about it.
The financial services sector is frequently targeted by malicious attackers, due to the nature of the data it receives, shares and manages. The European Central Bank (ECB) is the latest victim, with hackers installing malware that’s thought to have collected email addresses and other details from its Banks’ Integrated Reporting Dictionary (BIRD) website.
It’s important the 481 BIRD subscribers who have had their details compromised be extra vigilant going forward. The compromised email addresses that have been taken from the server could be used in future phishing attacks by malicious actors, enabling them to gain further pieces of personal data or trick recipients into downloading malware to their systems.
These subscribes should be on the lookout for any message that seems suspicious, for example using incorrect branding or poor grammar. In addition, they shouldn’t click on any suspicious links contained in these emails; instead, they should hover their mouse over it to see if the address matches the link displayed or if possible, open the site via another window.
The breach and its consequences are minuscule compared to most of the other breaches that have occurred in 2019. However, the nature of the breach and the time it took to detect it are quite alarming. The question is how many more breaches of ECB and its externalized systems have not yet been discovered, and what will the impact be.
Third-parties with unknown volumes of sensitive data are the Achilles’ Heel of holistic cybersecurity. Organizations should ensure a comprehensive visibility and up2date inventory of their digital assets, as you cannot protect what you are can’t see. Third-party risk management including verification of how do they enforce applicable data protection policies is another vital though widely ignored task. Finally, a continuous security monitoring should be implemented for all public-facing web applications hosted internally, externally or in the cloud.