U.S. regulators tell banks to address 'Heartbleed' risk

WASHINGTON Thu Apr 10, 2014 6:43pm EDT

File illustration picture of computer keyboard with letters stacked forming the word 'password' taken in Warsaw, December 12, 2013. REUTERS/Kacper Pempel/Files

File illustration picture of computer keyboard with letters stacked forming the word 'password' taken in Warsaw, December 12, 2013.

Credit: Reuters/Kacper Pempel/Files

WASHINGTON (Reuters) - U.S. financial regulators on Thursday told banks to upgrade their systems as soon as possible if they are vulnerable to the recently uncovered "Heartbleed" bug, which exposes data to hackers.

The Federal Financial Institutions Examination Council, an interagency group that includes the Federal Reserve and the Federal Deposit Insurance Corp, said banks also should set up temporary patches for any systems using the Web encryption program known as OpenSSL and warn their outside service providers to take action.

Researchers said this week they found evidence of hackers scanning the Internet in search of Web servers running the widely used encryption program.

The bug, which apparently has existed since 2011 but was only recently discovered, means many websites could be vulnerable to theft of data including passwords and credit card numbers.

"Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks," the Federal Financial Institutions Examination Council said in its warning to banks.

The group said after banks patch their systems, they should consider telling customers and administrators to change their passwords.

(Reporting by Emily Stephenson; Editing by Steve Orlofsky)