Spokespeople for the Fed alerted customers on Tuesday that private information stored online was compromised during a weekend hack, all but confirming the source for a trove of data published two days earlier by the loose-knit Anonymous collective.
“The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” a spokeswoman for the bank tells Reuters.
Currently, the Fed maintains that the incident was mild in nature, “did not affect critical operations” of the bank and has been resolved. An admission from the Fed does suggest, however, that hackers are capable of compromising data that is presumably well protected.
During Sunday’s Super Bowl, the Twitter account @OpLastResort announced that personal info pertaining to thousands of banking executives had been obtained, and a tweet directing followers to a hacked Alabama Criminal Justice Information Center website linked to the data. Now the Fed says that an emergency notification system was indeed breached, thus compromising private but not necessarily secret user names, phone numbers and other credentials stored on the server.
The exploit, admits the Fed, allowed for the release of user contact data stored within its Emergency Communications System, or ECS, “a system used by the Federal Reserve and state banking departments to notify depository institutions of operational status in the event of natural or other disasters.”
“Information obtained from the registrants consisted of mailing address, business phone, mobile phone, business email and fax. Some registrants also included optional information consisting of home phone and personal email. Despite claims to the contrary, passwords were not compromised, but nonetheless, have been reset as a precautionary measure,” continues a spokesperson for the St. Louis Fed in a statement first obtained by ZDNet.
A source speaking to ZDNet on condition of anonymity adds, “The banks on the list were not compromised.” On the website Reddit, however, one user claims to have called some of the phone numbers published on the Alabama CJIC site and adds some insight into the severity of the breach.
“What must be so problematic for the Federal Reserve is not the information so much as this file was stolen from their computers at all. The ramifications of that kind of loss of control is severe,” Reddit user PericlesMortimer writes.
OpLastResort is an Anonymous faction of sorts that was spawned after last month’s untimely death of Reddit co-founder and computer whiz Aaron Swartz, who committed suicide at age 26 while awaiting trial. The US government was charging Swartz with violating the Computed Fraud and Abuse Act because he allegedly accessed millions of academic and scholarly articles from the website JSTOR without explicit authorization. Swartz was facing decades in prison if convicted, but OpLastResort and similar campaigns have strived in recent weeks to make progress in reforming the CFAA.