One of the Federal Reserve internal websites ended up breached, though no critical functions of the U.S. central bank suffered because of the intrusion.
The admission, which raises questions about cyber security at the Fed, follows a claim hackers linked to Anonymous struck the Fed last Sunday, accessing personal information of more than 4,000 U.S. bank executives, which it published on the Web.
“The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” a Fed spokeswoman said.
“Exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve system,” the spokeswoman said, adding the contacted all individuals affected by the breach.
The Fed declined to identify which website suffered from the hack. But information that it provided to bankers indicated the site, which was not public, was a contact database for banks to use during a natural disaster.
A copy of the message sent by the Fed to members of its Emergency Communication System (ECS) warned mailing address, business phone, mobile phone, business email, and fax numbers published.
“Some registrants also included optional information consisting of home phone and personal email. Despite claims to the contrary, passwords were not compromised,” the Fed said.
The central bank separately confirmed the authenticity of the message to ECS members.
The website’s purpose is to allow bank executives to update the Fed if their operations have been flooded or otherwise damaged in a storm or other disaster. That helps the Fed to assess the overall impact of the event on the banking system.
Hackers identifying themselves as Anonymous infiltrated the U.S. Sentencing Commission website late last month to protest the government’s treatment of the Swartz case.
Swartz faced charges of using the Massachusetts Institute of Technology’s computer networks to steal more than 4 million articles from JSTOR, an online archive and journal distribution service. He faced a maximum sentence of 31 years if convicted.
Cyber security specialists said any organization’s computer systems could suffer a breach, and that it was up to an organization like the Fed to prioritize its security needs, in order to protect its most sensitive information from attack.
“Every system is going to have some vulnerability to it. You cannot set up a system that will survive all possible attacks,” said Mark Rasch, director of privacy and security consulting at CSC and a former federal cyber crimes prosecutor.
“You have to defend against every possible vulnerability and the attackers only have to find one way in,” he said.