Gisec 2022: Meet Jayson E Street, the ethical hacker paid to breach bank security

The American, 54, helps banks strengthen their cybersecurity by exposing their vulnerabilities

Not only has Jayson E Street gotten away with breaching banks’ databases, he has even hacked into the US Department of Treasury, all the while getting paid to do it.

The American, 54, is an ethical hacker, meaning he gets paid by companies to hack into their systems and expose their vulnerabilities in cyberspace.

Speaking to The National on the first day of the Gulf Intelligence and Security Expo Conference (Gisec), being held at the Dubai World Trade Centre until March 23, Mr Street told of some of his most notorious hacking jobs over the past two decades.

“I have the luxury to be able to choose which kind of engagement I’m going to get,” he said.

“I don’t usually get the boring ones. I try to go for something that is unusual or exciting, or something that I’ll be able to travel and see things.”

Mr Street started hacking into banks’ databases in 2010 when he was asked to help secure sensitive data on behalf of the financial institution for which he worked. Since then, he has breached bank security around the world, including in Beirut, Jordan, Jamaica and the US.

With no intention of stealing any money, Mr Street hacks into the “victim’s” system, with a message on a notepad that pops up once it is done, to show the bank their data has been compromised.

One of his most intense hacking jobs was in Kingston, Jamaica, where he pretended to be a TV producer and duped a charity organisation.

“Another company had hired me and I had a whole team of people already working on it,” said Mr Street.

“I came in to help with the security awareness side of it. I assumed the identity of a TV producer and instead of going after the main company, I went after a charity organisation that were on the same network.

“They were on the same scope as the financial institution.”

Mr Street carries out penetration tests, social engineering experiments where he walks into banks, pretends to be a customer and plugs in USBs into their computer.

This operates a code that comprises their machines, exposing just how vulnerable their digital infrastructure is.

Mr Street shows up in usual style – baggy jeans, black t-shirt and a jacket – to test if he will get caught.

But during most bank jobs, he has walked out effortlessly, carrying extremely sensitive data in his pocket.

“What I do with hacking, and what most of my fellow hackers do, is that we look to discover vulnerabilities or try to make things do something that they weren’t supposed to do,” he said.

“And I always tell people – a hacker has never created a vulnerability. What they’ve done is they discovered the vulnerabilities that were there and they have reported it, so people can get it fixed.

“The criminals aren’t going to report it, they’re just going to exploit it.”

Mr Street said his most notorious job was when he accidentally targeted the wrong bank in Beirut.

He said he laughs about it now but it was “horrifying” at the time.

“I did rob the wrong bank. I keep trying to tell people it’s a cool story. They weren’t expecting it at all and it was like a real robbery,” he said.

“I didn’t see what bank I was going into and I did manage to ‘rob’ it.”

One of his most successful hacking jobs, he says, came when he went back to a company that he had hacked before to see if they had taken his advice on how to protect their data.

He rehacked the company in 2020 to see if their digital infrastructure was still vulnerable a year after “stealing” their intelligence.

“I had ‘robbed’ them the year before and we went through educational process. The upper management was so shocked by what I did, they took it seriously,” he said.

“They educated their employees and the CEO talked about it in their yearly meeting.

“I came back next year and I did compromise them but not as successfully as I did before.

“I did get into every department but at some point, I did get caught.”