Europe’s Cyber Watchdog for Banks Has a Little Problem—It Keeps Getting Hacked
Hackers attacked the European Central Bank, one of the chief cyber watchdogs for the European banking sector, with malicious code that forced bank authorities to close down one of its websites and alert the impacted parties.
The hack targeted ECB’s BIRD (short for Banks’ Integrated Reporting Dictionary) website which is used to help member banks complete required supervisory and statistical reports. The compromised systems were discovered during routine maintenance, the ECB said in a statement on Thursday, months after the initial intrusion. An ECB spokesman told news outlets the evidence suggests the hackers gained access as far back as December, 2018.
The BIRD website is hosted by an external server, yet officials were treating the breach seriously. “As a result, it was possible that the contact data (but not the passwords) of 481 subscribers to the BIRD newsletter may have been captured,” the ECB said in a statement. “The affected information consists of the email addresses, names and position titles of the subscribers. The ECB is contacting people whose data may have been affected.”
Every major financial institution in the eurozone falls under the ECB’s cyber-incident reporting framework. They are required to report any hack attacks as soon as they learn of them. “This enables our supervisors to identify and monitor trends in cyber incidents affecting significant institutions and to gain a deeper knowledge of the cyber threat landscape,” the ECB explains. “It also puts us in a position to be able to react more swiftly to a potential crisis caused by a cyberattack.”
As hack attacks go, the 480 or so potential victims is considered a relatively small victim pool. The ECB stressed the impacted server was in no way connected to other external and internal ECB computer systems and that “neither ECB internal systems nor market-sensitive data were affected.”
“But a breach like this is still serious,” Graham Cluley, an independent UK-based IT security analyst, told Fortune. “Criminals who have accessed the contact information could use it in an attempt to defraud innocent parties, target users with malware attacks or phishing scams, or attempt to steal money from businesses through business email compromise attacks.”
He noted the ECB advisory doesn’t specifically mention whether affected parties were being contacted to warn of the security breach, or offer any indication of how long the problem may have been present. “Anyone affected needs to be wary of unsolicited emails and clicking on links that may attempt to compromise their computers or steal further information from them,” he said.
The ECB said it had informed the European Data Protection Supervisor about the breach and was working to reopen the affected site.
This is not the first time the ECB has been the target of hackers. In 2014, the bank said an unknown group broke into its computer system and stole around 20,000 email addresses, plus a smaller number of telephone numbers and addresses of people who had registered for ECB conferences and visits. “The theft came to light after an anonymous email was sent to the ECB seeking financial compensation for the data,” the ECB said in a statement at the time.
More must-read stories from Fortune:
—This recession indicator is going off—but don’t use it to time the market
—The death of trading: Why more big banks think the business is a losing bet
—Business confidence is plummeting because of a “chaotic” environment
—How are big banks doing when it comes to diversity? Congress isn’t impressed
—“Negative” interest rates used to be unthinkable in the U.S.—not anymore
Don’t miss the daily Term Sheet, Fortune‘s newsletter on deals and dealmakers.