View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

7 things we learnt from the ECB hack

Companies need not repeat the mistakes of the EU's central bank.

By Jimmy Nicholls

On Thursday we learnt that the European Central Bank (ECB) suffered a data breach. Though no market sensitive information was said to have been taken, contact information for those attending events with the bank was.

German police have been called in to investigate, and those whose details have been snatched have been informed. But what lessons can companies draw from this attack on one of the most powerful institutions in the EU?

1. Every organisation is at risk

This year has been a bumper year for cyber attacks, with Target, eBay and News UK having all suffered at the hands of hackers.

Keith Bird, managing director at security firm Check Point, said: "This attack highlights how even high profile organisations with robust defences can fall victim to enterprising cyber criminals. The European Central Bank was clearly unaware it had been infiltrated as it first found out when the attackers issued a ransom for the data they had obtained."

Of 150 financial groups the company audited last year 88% had been involved in a data loss incident, an increase of a quarter on 2012.

2. All customer data should be encrypted

Only some of the data taken by crooks from the ECB was encrypted, a startling oversight given its potential uses.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Jason Hart, vice president of cloud security at SafeNet, said: "Any data stored in a plain-text state is easily readable and can be easily accessed by cyber criminals. So companies need to think about encrypting all customer data, both in storage and transit."

Strong encryption can ensure that when a breach occurs the information obtained is useless to criminals, both discouraging them to hack in the first place and minimising the damage if it does happen.

3. A little data can lead to identity fraud

The ECB unsurprisingly downplayed the significance of the hack, pointing out that sensitive financial and market information had been stored separately. But this doesn’t mean the data is harmless.

Charles Sweeney, chief executive at security firm Bloxx, said: "A professional hacker doesn’t need much more than a name, address and date of birth in order to defraud a person and assume their identity.

"This data might not rank as highly in terms of sensitivity to the wider market place and the ECB itself, but to the individuals that could be potentially be impacted it is most definitely of concern and underlines the need for all, not just some, data to be robustly protected."

4. A minor breach can dent a company’s reputation

Customers will be upset that their data has gone walkabout, but companies also have to worry about the effect on its reputation, especially when they are charged with holding other people’s money.

Will Semple, vice president of research and intelligence for security firm Alert Logic, said: "It will be interesting to monitor the markets to see if this incident introduces confidence concerns in the ECB over the next few days."

5. Organisations should challenge ethical hackers to attack them

Many security experts have a history of hacking, and not always as one of the good guys. Firms should make use of this.

Toyin Adelakun, vice president of products for security firm Sestus, said: "It is always beneficial to have frequent, regular and irregular penetration-testing (pen-testing) performed by so-called ethical hackers, to make sure that as many as possible of your blind spots are uncovered.

"Even better, have multiple or different pen-testers address your Web sites and networks, so that you have a comprehensive view of the threats — and thus a comprehensive view of the necessary security countermeasures.

6. Security must increasingly seek to protect data

Keeping bad guys out of the perimeter used to be the focus for security companies, but this is all changing now the market for data is so profitable.

Gary Newe, senior systems engineering manager at application firm F5 Networks, said: "This attack is the latest to deliver a clear message to businesses across Europe – the assets we protect are no longer the infrastructure or the networks, it is the information contained in the applications that we need to address.

"We need to use tools like web application firewall (WAF), proxy functionality, and contextual awareness to understand and separate legitimate users from those with more suspicious motives, and better protect our data using these insights in real time."

7. It is still a bad idea to pay ransoms

Ransoms create a dilemma for the victim. In the short term it is tempting to buy off the hacker, but in the long term this may just encourage subsequent attacks.

Bob Tarzey, analyst and director at research firm Quocirca, said: "There is less reason to pay for this than even human ransom. Thieves may or may not have a copy, and they may or may not misuse what they have regardless of whether a ransom is paid. How do you know they will destroy what they have?

"As for crypto ransom (your data is encrypted and we will only give you the keys for payment), this would be bad news for a bank regardless of how important the data was. It would expose poor practice, not just in weak security, but in weak backup processes."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.