The Federal Reserve found a security breach on a website it uses to stay in touch with banks during emergencies and said no critical operations were affected.
“The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” according to a Richmond Fed statement from Jim Strader, a spokesman for the regional bank that runs the central bank’s information-technology office. “This incident did not affect critical operations of the Federal Reserve System.”
The intrusion comes less than three months after U.S. lawmakers failed to advance legislation aimed at safeguarding computer networks considered vital to U.S. economic and national security.
The central bank’s Emergency Communications System was accessed by hackers, the Richmond Fed confirmed. Banks use the site to designate their emergency contacts who would receive regulatory updates during crises such as natural or man-made disasters.
|Find the latest in local business and development, from who's saying
what to what's going in at that corner,
in the Money Talks blog.
“This is just another reminder of how relentless and sweeping cyberattacks are,” said House Intelligence Committee Chairman Mike Rogers, a Michigan Republican, in an email. “Cyberattackers, many from foreign countries, are targeting every aspect of the American economy every day and Congress needs to act with urgency.”
The Richmond Fed said “the exposure was fixed shortly after discovery and is no longer an issue,” according to the emailed statement.
A group claiming to be the hacker-activist organization known as Anonymous took responsibility for the breach. The group posted the names, titles and email addresses of more than 4,000 bankers on the pastebin.com website, said Doug Johnson, vice president of risk management policy at the American Bankers Association in Washington.
The information didn’t include more sensitive information such as bank account numbers, said Johnson.
The Fed has been working to contact every individual on the list, he said.
“I sternly suggest those 4,000 bankers change their passwords to all their critical systems,” including email and social media accounts, said Ronen Kenig, director of solutions at Radware Ltd., a Tel Aviv-based network security provider.
The contact information obtained in the attack on the Fed could be valuable, as it could be used for future attacks on the financial sector, he said. Hackers who know the names and email addresses of bankers can target them with so-called “spearphishing” attacks, trying to get them to click on links or attachments with malicious software that can penetrate bank systems and exploit entire networks, Kenig said.
Many of the largest U.S. banks including Bank of America Corp. and JPMorgan Chase & Co. were targeted by hackers in a series of so-called denial-of-service attacks last year that flooded the banks’ websites with traffic and caused disruptions for online customers.