Out-Law / Your Daily Need-To-Know

Personal data stolen from European Central Bank website as ICO issues separate data breach fine

Out-Law News | 24 Jul 2014 | 4:18 pm | 2 min. read

The European Central Bank (ECB) has reported experiencing a personal data breach after identifying information entered by some users of its website was left exposed to unauthorised access.

The data relates to individuals who entered personal details when registering for ECB events. The ECB said that the security of a database storing the details had been breached and that it had become aware of the breach after receiving an anonymous email from someone demanding "financial compensation for the data". The security vulnerability has now been fixed, it said.

The ECB said that the database the data was stolen from is "separate from any internal system" and said those internal systems and market sensitive data it holds had not been compromised during the breach. It said it had notified German police of the incident and that an investigation into the breach has been launched.

"While most of the data were encrypted, parts of the database included email addresses, some street addresses and phone numbers that were not encrypted," the ECB said. "The database also contains data on downloads from the ECB website in encrypted form. The ECB is contacting people whose email addresses or other data might have been compromised and all passwords have been changed on the system as a precaution."

News of the ECB data breach incident emerged as the UK's data protection watchdog, the Information Commissioner's Office (ICO), announced that it has served an online travel services business with a £150,000 fine over a personal data breach the company experienced following a cyber attack.

The ICO said that "insecure coding" used by a subsidiary of Think W3 Limited allowed a hacker to access 1,163,996 credit and debit card records. More than 430,000 of those records were identified as still being active.

The ICO criticised Think W3 Limited for failing to conduct security checks to identity weaknesses with the systems on which the data was being stored. It said the company was responsible for a serious breach of the Data Protection Act (12-page / 1.52MB PDF).

 “This was a staggering lapse that left more than a million holiday makers’ personal details exposed to a malicious hacker," Stephen Eckersley, head of enforcement at the ICO, said. "Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information."

"The public’s awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage," he said.

Under the DPA organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The ICO can issue fines of up to £500,000 against companies it finds responsible for a serious breach of the Act. In May the watchdog issued technical guidance to help organisations comply with their obligations to keep personal data secure.