The U.S. Federal Reserve said on Thursday it was still working to
determine the extent its computer systems had been breached by hackers,
adding that the incident was the subject of a criminal probe by the
Federal Bureau of Investigation.
"We are in the process of a
comprehensive assessment to determine what information might have been
obtained in this incident," said Federal Reserve spokesman Jim Strader.
"We remain confident that this incident did not affect critical
operations of the Federal Reserve."
The online intrusion, which
has embarrassed the U.S. central bank and raised questions about the
effectiveness of its security, was publicized on Sunday by activist
group Anonymous.
The integrity of the Fed's systems is vital to
ensure confidence in its ability to securely transmit highly
confidential information, including communications about U.S. monetary
policy and the banks that it supervises.
The Fed statement on
Thursday was its first explicit acknowledgment that it did not yet know
the extent of the security breach. Cyber-security specialists say it
takes time to thoroughly investigate a stealthy intrusion by skilled
hackers.
Anonymous claimed that it had published personal
information from more than 4,000 U.S. bank executives gleaned from a
password-protected Fed website.
The website, called the Emergency
Communication System (ECS), exists to provide bank contact information
in the event of a natural or other disaster. It is managed by the St.
Louis Federal Reserve Bank.
A message sent by the Fed to ECS users
and obtained by Reuters on Tuesday warned that personal information,
including mobile and business telephone numbers, email and business
addresses, had been obtained by the online intruders.
Strader said
it was possible that more information might still be released by the
hackers, but declined to spell out if data from a site other than the
ECS had been obtained.
"This incident is the subject of an active criminal investigation with the FBI and we cannot comment further," he said.
The
Fed also declined to comment on when the attack took place, how long it
took for the breach to be discovered and what type of system or
vulnerability was exploited.
A review by Reuters of the code on
the ECS site home page shows it runs on ColdFusion, a program used to
build websites that software maker Adobe Systems Inc patched in
mid-January to repair several critical security flaws.
The company
said hackers could take advantage of those bugs to break into computer
systems, access restricted files and take control of affected servers.
© Thomson Reuters 2013