European Central Bank Breached

German Police Investigate After Ransom Demand Reveals Hack

The website of the European Central Bank has been breached and contact information for event registrants stolen. The breach only came to light when a hacker attempted to obtain a ransom to return stolen data to the bank.

See Also: Top 5 Log Sources You Should Be Ingesting but Probably Aren't

Breached data included e-mail addresses and other contact information, which were stolen from a public-facing ECB website, the bank says in a July 24 statement. But the "theft was from a database that is separate from any internal system," and which is designed for event registration. The bank says no internal or market-connected systems were breached.

"The database itself, which is not linked to our internal systems, contains about 20,000 e-mail addresses, and a much smaller number of other data," an ECB spokeswoman tells Information Security Media Group. Furthermore, she says "95 percent of the data [in the database] was encrypted." It's not clear, however, if the attacker was able to access the entire database.

The bank declined to comment on when the breach occurred, but says it received the anonymous communication late the night of July 21 "seeking financial compensation for the data." The bank says its security team took immediate action, fixed the vulnerability that had been exploited by the attacker and notified German police, who have launched a related investigation.

Bank Resets Passwords

The bank is contacting anyone whose e-mail address or other personal information may have been stolen. The bank has also reset all passwords for the breached system.

The ECB, which is based in Frankfurt, Germany, administers the monetary policy for the Eurozone, which includes the 18 European countries that have adopted the euro as their currency; it's also the central bank for the euro.

The bank says "most" of the breached database was encrypted, and pertained to events. "We have a registration form that we use for certain events taking place ... at ECB conferences, for example, and we have a registration form tool, which is linked to the database," the bank spokeswoman says. But e-mail addresses, as well as some street addresses and phone numbers, were stored in unencrypted format. The database also included "data on downloads from the ECB website in encrypted form," the bank says, referring to material that individuals may have downloaded from the website.

The spokeswoman declined to offer technical details, including which application was hacked or how data was being encrypted. But in recent years, advances in password cracking, aided by faster and less expensive clusters of GPU cards, have allowed attackers -- given enough time and offline access to encrypted data -- to brute-force decrypt large amounts of data.

Central Bank Attacks

This isn't the first hack attack to target a central bank. In March 2014, the Russian Central Bank was hacked, just prior to the bank preparing to discuss interest rates at a monetary policy meeting.

That followed the People's Bank of China being hit by distributed-denial-of-service attacks in December 2013. While the source of the attacks wasn't clear, the DDoS campaign began after the central bank issued a statement saying bitcoin "is not a real currency," and was part of a more widespread, government-led cryptocurrency crackdown. Many security experts, accordingly, ascribed the attack to angry bitcoin aficionados.