ECB takes blame for Bird website infection

By Alex Hamilton | 21 August 2019

A malware infection which caused the shutdown of a European Central Bank (ECB) website should not be blamed on its third-party service provider, according to a spokesperson at the ECB, as the central bank is responsible for its upkeep.

The central bank announced it had shut down its Banks’ Integrated Reporting Dictionary (Bird) website last week, after it was discovered to have been infected with malicious software.

The malware had been injected into a third-party server hosting the website and was detected via a maintenance check conducted by the central bank. Email addresses, names, and titles of around 400 subscribers to the Bird newsletter may have been stolen. The central bank has stressed that neither its internal systems or market-sensitive data was affected by the infection.

The earliest files related the to breach date back to December last year, indicating that the malware could have been operating in the Bird server for up to nine months. The ECB has not decided yet whether it will continue to work with the affected provider.

Brian Chappell, director at cybersecurity firm BeyondTrust, says that the length of time the infection was active before detection was greater than industry averages. “Given this was an external website only using easily accessible user data with no access into ECB back-end systems you could be excused for thinking that this was reasonable, however that is based on the assumption that passwords were not exposed.

“Even if encrypted passwords were captured, there is a risk that some or all of them have been cracked and we all know that password reuse is a real problem potentially leaving other systems accessed by the exposed 481 individuals open to unauthorised access.”

Given the ECB’s launch of its European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU) a little over a year ago adds Chappell, it would be have been unexpected for the central bank to blame the unnamed provider.

“Wherever your data is, it’s your responsibility to secure it – you cannot rely on others to do it for you. While you might not be able to take direct action, you can still ensure you are fully aware of the action being taken by the third-party on your behalf. Should you change provider? Probably not – unless a pattern emerges that indicates there is a systemic problem at the provider. Better to work with that provider to ensure appropriate measures are being taken moving forward.”

A May report by the Ponemon Institute suggests that despite 80 percent of organisations believing that vetting third parties for cyber risk is crucial, 60 percent admit they’re either somewhat or not at all effective at doing so.

A November 2018 study by the same firm found that companies share confidential information with an average of 583 third parties, with 59 percent of those asked stating they’d experienced a breach caused by a third party in the past 12 months.

Rick McElroy, head of security strategy at Carbon Black, adds that while it’s important to note that financial institutions like the ECB have a more robust cybersecurity protocols than others, it does not make the central bank immune from cyberattacks.

He adds that firms should be proactive in hunting down threats, even if they exist on third-party systems. “There is still considerable opportunity for financial institutions to improve cybersecurity postures and go on the offensive with threat hunting teams. Based on the conversations we’ve had during our research; the majority of banks have limited visibility as it relates to east-west [moving between servers] traffic.”

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development