Federal Reserve data hacked by Anonymous
Days after the personal information of over 4,000 banking executives was leaked to the Web by a group affiliated with the hacktivist movement Anonymous, the Federal Reserve admits to having suffered an online security breach.
Spokespeople for the Fed alerted customers on Tuesday that private information stored online was compromised during a weekend hack, all but confirming the source for a trove of data published two days earlier by the loose-knit Anonymous collective.
“The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” a spokeswoman for the bank tells Reuters.
Currently, the Fed maintains that the incident was mild in nature, “did not affect critical operations” of the bank and has been resolved. An admission from the Fed does suggest, however, that hackers are capable of compromising data that is presumably well protected.
During Sunday’s Super Bowl, the Twitter account @OpLastResort announced that personal info pertaining to thousands of banking executives had been obtained, and a tweet directing followers to a hacked Alabama Criminal Justice Information Center website linked to the data. Now the Fed says that an emergency notification system was indeed breached, thus compromising private but not necessarily secret user names, phone numbers and other credentials stored on the server.
The exploit, admits the Fed, allowed for the release of user contact data stored within its Emergency Communications System, or ECS, “a system used by the Federal Reserve and state banking departments to notify depository institutions of operational status in the event of natural or other disasters.”
“Information obtained from the registrants consisted of mailing address, business phone, mobile phone, business email and fax. Some registrants also included optional information consisting of home phone and personal email. Despite claims to the contrary, passwords were not compromised, but nonetheless, have been reset as a precautionary measure,” continues a spokesperson for the St. Louis Fed in a statement first obtained by ZDNet.
A source speaking to ZDNet on condition of anonymity adds, “The banks on the list were not compromised.” On the website Reddit, however, one user claims to have called some of the phone numbers published on the Alabama CJIC site and adds some insight into the severity of the breach.