Hackers broke into the Department of Homeland Security’s phone network and made $12,000 worth of calls to the Middle East and Asia last weekend.

The compromised PBX system belonged to the Federal Emergency Management Agency (FEMA) and had only recently been installed, but it appears a hole was left open by a contractor during the upgrade, according to FEMA spokesman Tom Olshanski.

Calls were made to Afghanistan, Saudi Arabia, India and Yemen, and most were about three minutes long. Provider Sprint detected the fraud over the weekend and halted the calls.

The Department of Homeland Security itself issued a warning to corporations about the vulnerability in 2003.

PBX systems are gradually being replaced by corporate VoIP networks which have their own security challenges. In either case, lax installation practices often result in default passwords being retained during the initial set up of equipment. Profit-minded hackers can on-sell the minutes obtained by compromising these systems at cut rate prices.

Further reading

The growing pains of unified comms
The vision of a unified communications infrastructure, centred on IP, has been an alluring prospect for over half a decade. So what is holding back broad adoption?

Find more stories in the Security & Continuity Briefing Room