Fed Says Critical Operations Unaffected by Website Breach

The Federal Reserve found a security breach on a website it uses to stay in touch with banks during emergencies and said no critical operations were affected.

“The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” according to a Richmond Fed statement from Jim Strader, a spokesman for the regional bank that runs the central bank’s information-technology office. “This incident did not affect critical operations of the Federal Reserve System.”

The intrusion comes less than three months after U.S. lawmakers failed to advance legislation aimed at safeguarding computer networks considered vital to U.S. economic and national security.

The central bank’s Emergency Communications System was accessed by hackers, the Richmond Fed confirmed. Banks use the site to designate their emergency contacts who would receive regulatory updates during crises such as natural or man-made disasters.

“This is just another reminder of how relentless and sweeping cyberattacks are,” said House Intelligence Committee Chairman Mike Rogers, a Michigan Republican, in an e-mail. “Cyberattackers, many from foreign countries, are targeting every aspect of the American economy every day and Congress needs to act with urgency.”

Intrusion Fixed

The Richmond Fed said “the exposure was fixed shortly after discovery and is no longer an issue,” according to the e-mailed statement.

A group claiming to be the hacker-activist organization known as Anonymous took responsibility for the breach. The group posted the names, titles and e-mail addresses of more than 4,000 bankers on the pastebin.com website, said Doug Johnson, vice president of risk management policy at the American Bankers Association in Washington.

The information didn’t include more sensitive information such as bank account numbers, said Johnson, whose group talked to the Fed about the incident yesterday. The pastebin post with the banker information was not available today.

The Fed has been working to contact every individual on the list, he said.

“I sternly suggest those 4,000 bankers change their passwords to all their critical systems,” including e-mail and social media accounts, said Ronen Kenig, director of solutions at Radware Ltd., a Tel Aviv-based network security provider.

Valuable Information

The contact information obtained in the attack on the Fed could be valuable, as it could be used for future attacks on the financial sector, he said. Hackers who know the names and e-mail addresses of bankers can target them with so-called “spearphishing” attacks, trying to get them to click on links or attachments with malicious software that can penetrate bank systems and exploit entire networks, Kenig said.

Many of the largest U.S. banks including Bank of America Corp. and JPMorgan Chase & Co. were targeted by hackers in a series of so-called denial-of-service attacks last year that flooded the banks’ websites with traffic and caused disruptions for online customers.

Even if damage from this attack is limited, the hacking may contribute to fears that the government cannot protect private information, said Jacob Olcott, a cybersecurity consultant at GoodHarbor Security Risk Management in Washington.

Inadequate Controls

“The banks didn’t want this information publicly out there so it probably is another case where the federal government is not implementing appropriate security controls on a sensitive website,” he said.

Lawmakers in Washington are considering cybersecurity measures. Rogers, the Michigan congressman, has said he will soon reintroduce a bill that would give companies legal protections for sharing cyber-threat information with each other and the government, and that would allow the government to pass along classified cybersecurity data to the private sector.

The bill will essentially mirror legislation that the House passed last April. That bill failed to advance in the Senate.

President Barack Obama’s administration is considering an executive order to create voluntary cybersecurity standards for companies operating the nation’s vital infrastructure such as power grids and chemical plants. Obama in October signed a separate directive authorizing the National Security Agency and other military units to take more aggressive action to defeat attacks on government and private computer systems.

Before it's here, it's on the Bloomberg Terminal.