The good news is that the breach involved only a database serving the bank's public website, which contained only email addresses and other contact data left by people that registered for events at the ECB.
"No internal systems or market sensitive data were compromised," the bank confirmed on Thursday. "The database serves parts of the ECB website that gather registrations for events such as ECB conferences and visits. It is physically separate from any internal ECB systems."
While most of the data in the compromised database was encrypted, some email and physical addresses and some phone numbers weren't, and the bank has immediately started contacting the people whose data was accessed. Hopefully they are also telling them to be wary of potential phishing and vishing attempts, as well as identity theft.
The bank has also changed all passwords on the system just in case, and has confirmed that the vulnerability that was exploited in the breach has been addressed.
The German police have been informed of the theft and have started an investigation (the bank's headquarters are in Frankfurt).
"The ECB breach is the latest in a long line of high profile attacks against financial targets .While the ECB statement tries to reassure the public that this database was separate from market systems (which is standard good practice), the result of a breach against a low value (in context) web site to the ECB is disproportional bad press and brand damage," Will Semple, VP of research and intelligence for Alert Logic, commented for Help Net Security. "It will be interesting to monitor the markets to see if this incident introduces confidence concerns in the ECB over the next few days."
"This is also a good example in the underlying problem facing organizations trying to manage ‘cyber’ issues," he noted. "The traditional risk-based approach of security assessment and control design will allow for a low level/low value web site to be built without protections such as data encryption at rest and in transit. If we take a threat-based approach to the same question we get a radically different answer. Factor in reputation damage and market confidence impact due to a low level attack and you start to design for cyber resiliency against threat rather than ‘acceptable risk’."