Unauthorized third parties hacked European Central Bank (ECB) Banks’ Integrated Reporting Dictionary (BIRD) website, nicking email and other contact information on 481 subscribers and prompting the bank to shut down the website indefinitely.
“The breach succeeded in injecting malware onto the external server to aid phishing activities,” the ECB said in a release, adding that the BIRD site, which provides details on producing statistical and supervisory reports to the banking industry, “is physically separate from any other external and internal ECB systems.”
Potentially affected BIRD subscribers are being notified of the breach, which was discovered during routine maintenance.
Noting ECB’s claims that “only contact information was stolen” seems tame by 2019 standards, Bryan Becker, DAST product manager and security researcher at WhiteHat Security, said, “The scary part is that this breach happened in 2018 but was only recently noticed because of system maintenance.”
The long stretch between breach and detection isn’t surprising, though. “The average time for organizations to detect a breach is around 200 days, and around 160 days for the financial sector (which is the second best of all industries!),” said Becker. “This just shows how much more difficult it is to handle security reactively than it is to be proactive about it.”