Hackers have penetrated the European Central Bank’s Integrated Reporting Dictionary (BIRD) website, stealing personal data and forcing the ECB to shut down the site, which was maintained by a third-party provider.

The breach only came to light during routine maintenance work, the ECB said in a short notice today, saying “the breach succeeded in injecting malware onto the external server to aid phishing activities.”

That it was not identified earlier will likely raise questions for the ECB’s own security team: such breaches can be the springboard to further attacks, as stolen credentials are used to underpin additional efforts.

ECB Hack: Embarrassing, but not Damaging

The BIRD website provides the banking industry with details on how to produce statistical and supervisory reports. It is physically separate from any other external and internal ECB systems, the ECB said.

“Neither ECB internal systems nor market-sensitive data were affected” it said.

The hackers only appear to have gained access to the email addresses of 481 subscribers to a statistical newsletter, but the incident is an embarrassment to the ECB.

The breach of what appears to have been a vendor’s server once again drives home the security issues in vendor supply chains and comes days after a major Capital One data breach that appears to have also resulted in scores of other companies being affected.

The precise nature of the exploit has yet to be fully revealed, but appears to have involved a misconfigured firewall and not fully locked down AWS buckets.

See also: Area 1’s European Cable Hack Leak Leaves Infosec Pros Confounded