Two federal agencies acknowledged this week that hackers had breached their systems and stole the personal and account information of workers.
On Feb. 3, a group claiming to be affiliated with Anonymous stated on Pastebin that they had compromised a server at the Federal Reserve, which oversees the banking system in the United States and grabbed personal details of 4,000 banking executives. The financial agency confirmed that hackers had exploited a flaw and stolen information.
“The Federal Reserve System is aware that information was obtained by exploiting a temporary vulnerability in a Website vendor product. The vulnerability was fixed shortly after discovery and is no longer an issue,” a Federal Reserve spokesperson stated in an email sent to several news agencies. “This incident did not affect critical operations of the Federal Reserve System.”
Such an information leak, known as doxing, is a popular way among hacktivists to embarrass a target.
On Feb. 2, the Department of Energy notified employees that a similar attack had resulted in the leak of hundreds of employees’ and contractors’ personally identifiable information (PII) in January. The incident, first reported by the Washington Free Beacon, is currently being investigated by the FBI and follows last week’s reports that a number of high-profile media firms—such as The New York Times, The Wall Street Journal and the Washington Post—had been targeted by cyber-espionage campaigns linked to China.
While the damage from the attacks appears to be minor, the fact that two government agencies responsible for critical components of the U.S. economy have been breached is significant, said Rocky DeStefano, CEO of security consultancy VisibleRisk.
“Losing records or being ‘doxed’ is annoying and potentially dangerous, no question. But what would keep me up at night is the ‘what else?’,” DeStefano said in an email interview. “If the aggressors in each situation are willing to release this information so easily, what else do they maintain access to that we don’t yet know about? To me that is the real question in all of this.”
The lack of information about the attacks from each agency is a cause for concern among security professionals. The Federal Reserve breach, for example, could lead back to vulnerabilities in ColdFusion, the software framework used to build the agency’s Website, Chris Wysopal, chief technology officer for application-security firm Veracode, said in a blog post. Yet, without more information from the Federal Reserve, other companies using the software will be left vulnerable.
“I wish they would just come out and say exactly what the problem was so that other users of the ‘Website vendor product’ could check to see if they are vulnerable and ask the vendor how to fix it,” Wysopal stated.
“The attackers already know the vulnerability so it is likely many more sites are being exploited with the same vulnerability. Who exactly is the Fed protecting by not releasing this information? The security community needs your help.”
While some security experts questioned whether Anonymous had overstated the number of bank executives affected by the leak, identity-protection service PwnedList confirmed that 4,608 individuals were impacted by the breach. Of particular concern is that many executives had both a personal and business email addresses listed, which could lead to convincing spear phishing attacks, Steve Thomas, co-founder of PwnedList, said in an email interview.
“From our analysis, any bank, large or small, should be concerned about the information that was leaked in this data breach,” Thomas said. “We have already worked with several banks to help identify and secure vulnerable executives.”