The European Central Bank (ECB) acknowledged on July 24, 2014 that a database serving its public website had been hacked, resulting in the theft of email addresses, phone numbers and mailing addresses for people who had registered for events at the bank.
An ECB spokeswoman told Computerworld that the database contained approximately 20,000 email addresses, along with a smaller number of phone numbers and mailing addresses.
"No internal systems or market sensitive data were compromised," the ECB said in a statement. "The database serves parts of the ECB website that gather registrations for events such as ECB conferences and visits. It is physically separate from any internal ECB systems."
Still, the breach wasn't discovered until the ECB received an email demanding a ransom in return for the data, which the bank says it has refused to pay.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"Unless we're missing some important facts, it makes little sense for the ECB to pay a hacker money in this circumstance, as there's no guarantee that he won't also sell access to the data in addition to getting the ransom," Tripwire directory of security and risk Tim Erlin told Computerworld.
Although 95 percent of the data was encrypted, the stolen contact information was not. The ECB is notifying all those whose contact information was compromised, and has reset all passwords as a precaution.
"German police have been informed of the theft and an investigation has started," the ECB said, noting that the vulnerability exploited by the hackers has been patched.
While it's not clear who the hackers were behind this attack, the extortionist hacker group Rex Mundi has demanded ransoms following data breaches several times in the past -- most recently, they stole hundreds of thousands of European customer records from Domino's Pizza in June 2014.