European Central Bank (ECB) Hack
Retail Fraud Magazine investigated this latest attack and interviewed our Managing Director Colin Tankard;
ECB database ‘only partially encrypted’
27/07/2014: The news of The European Central Bank (ECB) being hacked, with the attackers stealing both email addresses and contact data from the organisation’s public website, is the latest data breach in a line of many.
The ECB announced the breach yesterday saying that the details only emerged when the hackers tried to extort money in return for the stolen data on Monday. Around 20,000 email addresses and some addresses and phone numbers were stolen from the public part of the ECB website that dealt with conferences and visits.
According to data security company, Digital Pathways, whilst the ECB says that no market sensitive data was compromised it also said that most of the data – not all – was encrypted.
Colin Tankard of data security company Digital Pathways says, “ As only a part of the database seems to have been encrypted it looks as if they were only encrypting a row or column and were probably using an encryption programme as part of the database offered by the database vendor.
‘Often only data such as credit card numbers are encrypted but this hack shows that this method is not good enough and that the whole database should be encrypted in order to secure all of the personal private data contained within it.
‘Relying on a vendor’s single column encryption is only doing part of the job and is often seen as the easy route as companies think it is the only way to hide data from their database administration people.
‘ However, what is needed is the encryption of the total database which will also protect shadow copy and password files within it. Strong access control should be applied to either user or application access to ensure only authorised people or applications can touch the data. Then, independent logging of the database needs to be implemented so that all access to the data, or changes by database administrators, is held outside of the database administrator’s control. In this way, they have nowhere to hide if they touch the database. A common technique is to switch off auditing in the database while the Hack is being done and then switching it on again thus stopping any alerts.
‘Companies really must separate duties between database administration and security management. This is always the best practice.’