The Federal Reserve detected more than 50 cyber breaches between 2011 and 2015, with several incidents described internally as “espionage”, according to Fed records.
The US central bank’s staff suspected hackers or spies in many of the incidents, the records show. The Fed’s computer systems play a critical role in global banking and hold confidential information on discussions about monetary policy that drives financial markets.
The cybersecurity reports, obtained by Reuters through a Freedom of Information Act request, were heavily redacted by Fed officials to keep secret the central bank’s security procedures.
The Fed declined to comment, and the redacted records do not say who hacked the bank’s systems or whether they accessed sensitive information or stole money.
“Hacking is a major threat to the stability of the financial system. This data shows why,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a Washington thinktank. Lewis reviewed the files at the request of Reuters.
The records represent only a slice of all cyber-attacks on the Fed because they include only cases involving the Washington-based Board of Governors, a federal agency that is subject to public records laws. Reuters did not have access to reports by local cybersecurity teams at the central bank’s 12 privately owned regional branches.
The disclosure of breaches at the Fed comes at a time when cybersecurity at central banks worldwide is under scrutiny after hackers stole $81m from a Bangladesh Bank account at the New York Fed.
Cyber thieves have targeted big financial institutions around the world, including America’s largest bank, JPMorgan, as well as smaller players such as Ecuador’s Banco del Austro and Vietnam’s Tien Phong Bank.
Hacking attempts were cited in 140 of the 310 reports provided by the Fed’s board. In some reports, the incidents were not classified in any way.
In eight information breaches between 2011 and 2013 – a time when the Fed’s trading desk was buying huge amounts of bonds – Fed staff wrote that the cases involved “malicious code”, referring to software used by hackers.
Four hacking incidents in 2012 were considered acts of “espionage”, according to the records. Information was disclosed in at least two of those incidents, according to the records. In the other two incidents, the records did not indicate whether there was a breach.