Unauthorized third
parties hacked European Central Bank (ECB) Banks’ Integrated Reporting
Dictionary (BIRD) website, nicking email and other contact information on 481
subscribers and prompting the bank to shut down the website indefinitely.

“The breach succeeded in
injecting malware onto the external server to aid phishing activities,” the ECB
said in a release, adding that the BIRD site, which provides details on
producing statistical and supervisory reports to the banking industry, “is
physically separate from any other external and internal ECB systems.”

Potentially affected BIRD
subscribers are being notified of the breach, which was discovered during
routine maintenance.

Noting
ECB’s claims that “only contact information was stolen” seems tame by 2019
standards, Bryan Becker, DAST product manager and security researcher at WhiteHat
Security, said,
“The scary part is that this breach happened in 2018 but was only recently
noticed because of system maintenance.”

The
long stretch between breach and detection isn’t surprising, though.  “The
average time for organizations to detect a breach is around 200 days, and
around 160 days for the financial sector (which is the second best of all
industries!),” said Becker. “This just shows how much more difficult it is to
handle security reactively than it is to be proactive about it.”