European banking regulator says cyber-attack was ‘limited’ in scope

The European Banking Authority (EBA) has confirmed that no data was compromised in the recent cyber-attack against its Microsoft Exchange servers.

The regulator took its entire email system offline after the attack and warned on Sunday that access to personal data through emails held on the servers could have been obtained by the attacker.

However, it now says that the scope of the attack was “limited” and the confidentiality of its systems and data was not compromised.

“Thanks to the precautionary measures taken, the EBA has managed to remove the existing threat and its email communication services have, therefore, been restored,” the EBA said in a statement on Tuesday.

In addition to re-securing its email system, the EBA “remains in heightened security alert” and will continue to monitor the situation.

Other organisations targeted in the global cyber-attack are thought to include banks, electricity providers and local government.

Attackers gained access to Exchange servers by exploiting previously undiscovered vulnerabilities or with stolen passwords.

“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” Microsoft said.

Microsoft issued emergency patches last week, but they do nothing to disinfect systems that are already compromised.

The White House National Security Council urged organisations with a vulnerable server to “take immediate measures to determine if they were already targeted”.