After Anonymous posted sensitive credentials of over 4,600 banking executives to a government Web site on Super Bowl Sunday, the Federal Reserve acknowledged the attack in a Tuesday morning statement to affected individuals and press.
However, while a spokesperson from the Federal Reserve told The Huffington Post that Anonymous' claim to the hack's importance was "overstated," information security professionals that serve financial institutions are saying the exact opposite—and are not best pleased with the Federal Reserve.
ZDNet has now learned that the compromised and exposed database belongs to The St. Louis Fed Emergency Communications System.
According to The Banker's Advocate, ECS is the emergency communications system for seventeen states, with plans to add seven new states this year.
ECS estimates it holds 40 percent of America's state-chartered banks as its users.
The ECS was deployed in 2008 and is the means by which bank supervisory agencies such as the Bank Department and the Federal Reserve Supervision and Regulation functions to communicate with financial institutions during emergencies.
The ECS system enables agencies to establish two-way communications channels with institutions during a crisis to exchange critical information; crises such as natural or man-made disasters (weather, fire, and so on), "chemical biological events or threats," and "events affecting the financial markets."
Sensitive information on thousands at state-charter banks and credit unions—including login information, credentials, IP addresses, and contact information—was listed in a spreadsheet and posted to a government site, then announced and claimed by the "Operation Last Resort" faction of Anonymous.
The government Web site, which was compromised and used to post the spreadsheet, The Alabama Criminal Justice Information Center, did not respond to requests for comment from the Washington Post.
The page—with URL filename "oops-we-did-it-again"—remained accessible into early Monday morning PST. A cached version of the page was still available as of Tuesday afternoon, as well as a copy of the raw text placed on Pastebin at the time of the attack.
A Federal Reserve spokesperson told Reuters exactly what it sent in the email to affected individuals, saying: "The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a Web site vendor product."
Contact from the Federal Reserve to affected individuals was independently verified to ZDNet by a source, who spoke on terms of confidentiality.
ZDNet's source provided a copy of Federal Reserve's email to those on the list, revealing that affected institutions were notified about a breach and that their passwords to the affected system (a Web site with a contact database for banks to use during a natural or man-made disaster) would be changed.
more here:
http://www.zdnet.com/anger-rises-as-fed-confirms-anonymous-hack-downplays-us-bank-emergency-system-breach-7000010902/