By Alister Bull and Jim Finkle
WASHINGTON/BOSTON Feb 5 The Federal Reserve
said on Tuesday that one of its internal websites had been
briefly breached by hackers, though no critical functions of the
U.S. central bank were affected by the intrusion.
The admission, which raises questions about cyber security
at the Fed, follows a claim that hackers linked to the activist
group Anonymous had struck the Fed on Sunday, accessing personal
information of more than 4,000 U.S. bank executives, which it
published on the Web.
"The Federal Reserve system is aware that information was
obtained by exploiting a temporary vulnerability in a website
vendor product," a Fed spokeswoman said.
"Exposure was fixed shortly after discovery and is no longer
an issue. This incident did not affect critical operations of
the Federal Reserve system," the spokeswoman said, adding that
all individuals effected by the breach had been contacted.
Technology news site ZDNet separately reported that
Anonymous appeared to have published information allegedly
containing the login information, credentials, internet protocol
addresses and contact information of more than 4,000 U.S.
bankers on Sunday night.
The claim was made via Twitter over an account registered to
OpLastResort, which is linked to Anonymous, a loosely organized
group of hacker activists who have claimed responsibility for
scores of attacks on government and corporate sites over the
past several years.
OpLastResort is a campaign that some hackers linked to
Anonymous have started to protest government prosecution of
computer prodigy Aaron Swartz, who committed suicide on Jan. 11.
The Fed declined to identify which website had been hacked.
But information that it provided to bankers indicated that the
site, which was not public, was a contact database for banks to
use during a natural disaster.
A copy of the message sent by the Fed to members of its
Emergency Communication System (ECS), which was obtained by
Reuters, warned that mailing address, business phone, mobile
phone, business email, and fax numbers had been published.
"Some registrants also included optional information
consisting of home phone and personal email. Despite claims to
the contrary, passwords were not compromised," the Fed said.
The central bank separately confirmed the authenticity of
the message to ECS members.
The website's purpose is to allow bank executives to update
the Fed if their operations have been flooded or otherwise
damaged in a storm or other disaster. That helps the Fed to
assess the overall impact of the event on the banking system.
Hackers identifying themselves as Anonymous infiltrated the
U.S. Sentencing Commission website late last month to protest
the government's treatment of the Swartz case.
Swartz was charged with using the Massachusetts Institute of
Technology's computer networks to steal more than 4 million
articles from JSTOR, an online archive and journal distribution
service. He faced a maximum sentence of 31 years if convicted.
Cyber-security specialists said that any organization's
computer systems could be breached, and that it was up to an
organization like the Fed to prioritize its security needs, in
order to protect its most sensitive information from attack.
"Every system is going to have some vulnerability to it. You
cannot set up a system that will survive all possible attacks,"
said Mark Rasch, director of Privacy and security consulting at
CSC and a former federal cyber crimes prosecutor.
"You have to defend against every possible vulnerability and
the attackers only have to find one way in," he said.