The FBI is investigating more than $12,000 in calls to the Middle East and Asia that were made when a hacker broke into the Federal Emergency Management Agency's phone system 10 days ago.
The hacker made more than 400 calls on a FEMA voice-mail system in Emmitsburg, Md., on Aug. 16 and 17. FEMA said it appears that a "hole" was left open by the contractor when the voice-mail system was being upgraded. A FEMA spokesman said the gap in the system has since been closed.
"We are investigating it," FBI spokesman Jason Pack said Tuesday. "We are working with FEMA to get to the bottom of it."
One security expert called this type of hacking low-tech and "old school" — something that was popular 10 to 15 years ago.
Afghanistan, Saudi Arabia, India and Yemen are among the countries that calls were made to. Most of the calls were about three minutes long, but some were as long as 10 minutes.
Sprint caught the fraud and halted all outgoing long-distance calls from FEMA's National Emergency Training Center in Emmitsburg.
FEMA is part of the Homeland Security Department, which in 2003 put out a warning about this very vulnerability.
The voice-mail system that was hacked is new and recently was installed. It is a Private Branch Exchange, or PBX, a traditional corporate phone network that is used in thousands of companies and government offices. Many companies are moving to a higher tech version.
"In this case it's sort of embarrassing that it happened to FEMA themselves — FEMA being a child of DHS, with calls going to the Middle East," John Jackson, a St. Louis-based security consultant, said last week when he learned of the hacked system.
In 2003, Homeland Security and the FBI investigated multiple reports about private industry being breached by these types of hackers.
"This illegal activity enables unauthorized individuals anywhere in the world to communicate via compromised U.S. phone systems in a way that is difficult to trace," according to a Homeland Security Department information bulletin from June 3, 2003.
