European banking regulator says cyber-attack was ‘limited’ in scope

The European Banking Authority (EBA) has confirmed that no data was compromised in the recent cyber-attack against its Microsoft Exchange servers.

The regulator took its entire email system offline after the attack and warned on Sunday that access to personal data through emails held on the servers could have been obtained by the attacker.

However, it now says that the scope of the attack was “limited” and the confidentiality of its systems and data was not compromised.

“Thanks to the precautionary measures taken, the EBA has managed to remove the existing threat and its email communication services have, therefore, been restored,” the EBA said in a statement on Tuesday.

In addition to re-securing its email system, the EBA “remains in heightened security alert” and will continue to monitor the situation.

Other organisations targeted in the global cyber-attack are thought to include banks, electricity providers and local government.

Attackers gained access to Exchange servers by exploiting previously undiscovered vulnerabilities or with stolen passwords.

“In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments,” Microsoft said.

Microsoft issued emergency patches last week, but they do nothing to disinfect systems that are already compromised.

The White House National Security Council urged organisations with a vulnerable server to “take immediate measures to determine if they were already targeted”.

5.9 million payment cards hacked in Dixons Carphone data breach

Dixons Carphone has admitted to a major data breach involving 5.9 million payment cards and 1.2 million personal records, according to BBC News.

The company said a hacking attempt began in July 2017. The cybercriminals targeted 5.8 million credit and debit cards and succeeded in compromising 105,000 cards which lacked chip-and-pin technology.

Dixons Carphone shares fell 3% on confirmation of the hack. The company said there was no evidence that any of the cards had been used fraudulently. Hackers had sought to access processing systems at stores including Currys PC World and Dixons Travel.

It is unclear why the data breach has only been confirmed one year on, or whether there is any connection with a previous data breach at the firm in 2015.

Chief Executive Alex Baldock said the company was “extremely disappointed” about the breach and had brought in additional security experts to review its practices.

Baldock said: “The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

Subsidiary company Carphone Warehouse had already warned of a profit drop in 2018 and announced it would close more than 92 of the UK’s 700 stores.