The hacking of a database serving the website of the European Central Bank (ECB) highlights classic underlying problems facing modern organisations, according to security experts.
The Frankfurt-based ECB said there had been a breach of the security protecting a database serving the portion of its public website used to register people for bank events and visits.
The bank said "most" of the stolen data was encrypted, but that parts of the database – including email addresses, some street addresses and phone numbers – were stored in plain text.
The anonymous hacker stole around 20,000 email addresses and a smaller number of telephone numbers and addresses, reported the BBC.
The compromised database contains data on downloads from the ECB website in encrypted form.
No internal systems or market-sensitive data were compromised, as the database is physically separate from any internal systems, the ECB said.
The bank was alerted to the intrusion and data theft by a ransom email from the hackers, but no details have been given of the threats or demands made in the email.
Read more about data breaches
- Spotify warns of data breach
- Ebay under fire over handling of data breach
- Target data breach: Why UK business needs to pay attention
- How to mitigate risk associated with a customer's potential data breach
- Infosec 2014: UK data breaches slightly down but cost way up, report shows
- UK micro businesses unprepared for data breaches, study shows
The ECB is contacting people whose email addresses or other data might have been compromised. All passwords have been changed on the system as a precaution.
The bank said German police had begun an investigation and ECB data security experts have addressed the vulnerability.
Risk to reputation
Will Semple, vice-president of research and intelligence at security firm Alert Logic, said the incident shows how the breach of a relatively low-value database can result in disproportionate reputational damage.
“This is also a good example in the underlying problem facing organisations trying to manage cyber issues,” he said.
According to Semple, the traditional risk-based approach of security assessment and control design will allow for a low-value database to be built without protections such as data encryption.
“If we take a threat-based approach to the same question, we get a radically different answer because, if you factor in reputation damage and market confidence impact due to a low level attack, you start to design for cyber resiliency against threat, rather than ‘acceptable’ risk,” he said.
Semple believes education about cyber threats is needed at the business level. He said organisations should create a board-level cyber threat action plan to get the issue on the agenda and begin to quantify it for the executives.
“A cyber threat board action plan will help set expectations and define what a senior business leader should do if they are unfortunate enough to experience an attack,” he said.
Jason Hart, vice-president of cloud security at SafeNet, said any data stored in a plain-text state is easily readable and can be easily accessed by cyber criminals.
“Organisations need to think about encrypting all customer data, both in storage and transit,” he said.
Hart said only those companies that adopt a "secure breach" approach, consisting of a combination of strong authentication, data encryption and key management, can be confident that data is useless should it fall into unauthorised hands.
“According to SafeNet’s breach level index the breach can be classified as a moderate data breach. The severity of the breach is minimised because password and financial data was encrypted,” he said.
“But the fact that the hackers were able to get their hands on email address and phone numbers is likely to have a significant impact on customer trust.”