"The attackers exploited a vulnerability to access a database serving the ECB's public website, the institution announced Thursday on its website. No internal systems or market sensitive data were affected, the ECB said.
The compromised database primarily contained contact information provided by users when registering for various ECB events and conferences. Most of the data was encrypted, but email addresses, phone numbers and street addresses were not, according to the ECB.
The database contained around 20,000 email addresses and a lower number of phone numbers and physical contact addresses, an ECB spokeswoman said Thursday. It's not known at this time if the attackers copied the entire database or only parts of it, but 95 percent of the information in the database was encrypted, she said.
ECB learned of the breach late Monday night when it received an anonymous email from the attackers seeking financial compensation for the data.
The ECB has not and will not pay anything, the ECB spokeswoman said.
first the ECB has an external database that has a vulnerability (wow, so nobody monitored this ?)
secondly that they publicly say that they won't pay is official politics. This doesn't mean that there is eventually no payment by somebody just to keep the data out of the underworld. But even that can't be guaranteed.
thirdly 5% of the database was not encrypted, which makes the case for full encryption again
fourth they can't see which data is lost or copied which poses the questions of monitoring of the database and access (and the securitytools for databases that aren't installed - even with vulnerabilities (for example some-one can never copy the whole dataset)).
fifth they have done a rest of all logins but the data that is lost is phone numbers (vishing), emailaddresses (targeted attacks) and physical addresses (profile building). So if you can be attacked in one of these ways and the results would be disastrous for you or the institution or firm, than you will have to change your phonenumber, your emailaddress (and if your home-address is in fact secret and has to stay secret - you will have to move)
these listing are sold to who-ever wants to pay for them