The European Central Bank has revealed that information including email addresses and contact data has leaked in a data breach – and that the unknown attackers demanded “financial compensation” from the bank in return for not releasing the information.
The BBC reports that records for 20,000 people leaked in the breach, which affected a database serving its website. The ECB released a statement pointing out that the database was separate from internal systems, and that “no market-sensitive data was compromised.”
“The theft came to light after an anonymous email was sent to the ECB seeking financial compensation for the data,” the bank said. The data came from people who had applied to attend ECB events via the site, and those affected have been notified.
The use of data theft as a tool for extortion is a potent weapon for cybercriminals. In some cases, blackmailers have carried out threats – and put companies out of business.
Veteran security researcher and We Live Security writer Graham Cluley says, “In the last few weeks there have been numerous stories of online criminals launching attacks against businesses with the aim of extorting money from their victims.”
As an extra precaution, all passwords on the site have been reset. Police in Germany have been informed and are investigating.
Silicon Republic reports that it is believed that the European Regular did not pay the (undisclosed) ransom.
The site reports that the attack follows a pattern of similar moves against poorly protected databases at international financial institutions, and DDoS attacks directed against bank sites.
It has also been revealed that mobile phone giant Nokia had, a few years back, found itself in the uncomfortable position of handing over millions of dollars to blackmailing hackers who had stolen encryption codes for the Symbian operating system, and were threatening to post them online.
Data breaches can cause a loss of confidence among consumers, and cause lasting damage not only to a brand, but to profit. Marketing Week reports that Target – the subject of a large-scale data breach affecting millions of Americans – saw profits down 46% year-on-year in the last quarter. The breach led to the departure of the company’s CEO and CIO, and a restructuring of the company’s command structure.
“While most of the data were encrypted, parts of the database included email addresses, some street addresses and phone numbers that were not encrypted,” the ECB said. The affected database, “is physically separate from any internal ECB systems,” the bank said.
Author Rob Waugh, We Live Security