Online financial firm hacked

Financial software and services company S1 confirms an attacker gained access to one of the company's servers.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

Jan. 2, 2002 4:43 p.m. PT

Online financial services provider S1 acknowledged Friday that it suffered an electronic break-in last month, when an unknown attacker exploited a security flaw to access one of the company's servers.

While he would not discuss details of the intrusion, Paul Citarella, vice president of marketing for the Atlanta-based company, said that the attack did not affect the company's operations.

"A minor incident did occur where someone leveraged a vulnerability in third-party software to access data that they should not have," he said. "All of our banks are up and running and there has been no fraud following the incident."

The company provides software and services for financial institutions ranging in size from the goliath Bank of America to small community banks. In total, S1 has more than 1,000 customers worldwide, according to its Web site.

Citarella added that S1 has called in both the FBI and an independent security firm to investigate the matter. But a representative of the FBI field office in Atlanta said that they were not aware of the incident and were not investigating.

Details of the intrusion were first reported on security Web site SecurityFocus.

The attackers had access to a Windows NT directory that houses Web banking customers' login names and encrypted passwords, the report stated. Using "brute force" decryption techniques, a hacker could decrypt the passwords and compromise accounts.

The incident took place on June 19, according to the SecurityFocus report. Citarella would not confirm the date.