Fed Says Critical Operations Unaffected by Website Breach

Photographer: Andrew Harrer/Bloomberg

The intrusion of a website the central bank uses comes less than three months after U.S. lawmakers failed to advance legislation aimed at safeguarding computer networks considered vital to U.S. economic and national security. Close

The intrusion of a website the central bank uses comes less than three months after... Read More

Close
Open
Photographer: Andrew Harrer/Bloomberg

The intrusion of a website the central bank uses comes less than three months after U.S. lawmakers failed to advance legislation aimed at safeguarding computer networks considered vital to U.S. economic and national security.

The Federal Reserve found a security breach on a website it uses to stay in touch with banks during emergencies and said no critical operations were affected.

“The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” according to a Richmond Fed statement from Jim Strader, a spokesman for the regional bank that runs the central bank’s information-technology office. “This incident did not affect critical operations of the Federal Reserve System.”

The intrusion comes less than three months after U.S. lawmakers failed to advance legislation aimed at safeguarding computer networks considered vital to U.S. economic and national security.

The central bank’s Emergency Communications System was accessed by hackers, the Richmond Fed confirmed. Banks use the site to designate their emergency contacts who would receive regulatory updates during crises such as natural or man-made disasters.

“This is just another reminder of how relentless and sweeping cyberattacks are,” said House Intelligence Committee Chairman Mike Rogers, a Michigan Republican, in an e-mail. “Cyberattackers, many from foreign countries, are targeting every aspect of the American economy every day and Congress needs to act with urgency.”

Intrusion Fixed

The Richmond Fed said “the exposure was fixed shortly after discovery and is no longer an issue,” according to the e- mailed statement.

A group claiming to be the hacker-activist organization known as Anonymous took responsibility for the breach. The group posted the names, titles and e-mail addresses of more than 4,000 bankers on the pastebin.com website, said Doug Johnson, vice president of risk management policy at the American Bankers Association in Washington.

The information didn’t include more sensitive information such as bank account numbers, said Johnson, whose group talked to the Fed about the incident yesterday. The pastebin post with the banker information was not available today.

The Fed has been working to contact every individual on the list, he said.

“I sternly suggest those 4,000 bankers change their passwords to all their critical systems,” including e-mail and social media accounts, said Ronen Kenig, director of solutions at Radware Ltd., a Tel Aviv-based network security provider.

Valuable Information

The contact information obtained in the attack on the Fed could be valuable, as it could be used for future attacks on the financial sector, he said. Hackers who know the names and e-mail addresses of bankers can target them with so-called “spearphishing” attacks, trying to get them to click on links or attachments with malicious software that can penetrate bank systems and exploit entire networks, Kenig said.

Many of the largest U.S. banks including Bank of America Corp. and JPMorgan Chase & Co. were targeted by hackers in a series of so-called denial-of-service attacks last year that flooded the banks’ websites with traffic and caused disruptions for online customers.

Even if damage from this attack is limited, the hacking may contribute to fears that the government cannot protect private information, said Jacob Olcott, a cybersecurity consultant at GoodHarbor Security Risk Management in Washington.

Inadequate Controls

“The banks didn’t want this information publicly out there so it probably is another case where the federal government is not implementing appropriate security controls on a sensitive website,” he said.

Lawmakers in Washington are considering cybersecurity measures. Rogers, the Michigan congressman, has said he will soon reintroduce a bill that would give companies legal protections for sharing cyber-threat information with each other and the government, and that would allow the government to pass along classified cybersecurity data to the private sector.

The bill will essentially mirror legislation that the House passed last April. That bill failed to advance in the Senate.

President Barack Obama’s administration is considering an executive order to create voluntary cybersecurity standards for companies operating the nation’s vital infrastructure such as power grids and chemical plants. Obama in October signed a separate directive authorizing the National Security Agency and other military units to take more aggressive action to defeat attacks on government and private computer systems.

To contact the reporters on this story: Joshua Zumbrun in Washington at jzumbrun@bloomberg.net; Eric Engleman in Washington at eengleman1@bloomberg.net

To contact the editor responsible for this story: Chris Wellisz at cwellisz@bloomberg.net

Bloomberg reserves the right to edit or remove comments but is under no obligation to do so, or to explain individual moderation decisions.

Please enable JavaScript to view the comments powered by Disqus.