Congressional Report Accuses FDIC of Covering up, Misrepresenting Data Breaches
A critical congressional report was released this week claiming the FDIC has been hacked several times over several years and regulators have been covering up or misrepresenting breaches. In an ongoing investigation by the U.S. House Science, Space and Technology Committee, the report implicates FDIC employees, as well as the Chinese government, as responsible for some of the breaches.
In 2010, the FDIC said that it found that Chinese cyberattackers gained access to FDIC IT systems. Similar attacks occurred between 2011 and 2013 The Office of Inspector General, which notified congressional committees of the breaches, was critical of the agency for failing to alert proper authorities, the report said.
Other examples included a breach last September, when a “disgruntled” employee in New York who was leaving her job with the FDIC downloaded banking information and the Social Security numbers of more than 28,000 individuals to a portable USB device. Rather than immediately reporting the breach directly to Congress as mandated, the FDIC referred to it later in a report.
In 2015, information was stolen again by another employee leaving the agency. Initially, the FDIC said the employee copied sensitive information about more than 10,000 individuals. The report claims the breach affected more than 40,000 individuals and some 30,000 banks and other entities.
“The committee’s interim report sheds light on the FDIC’s lax cybersecurity efforts,” said Rep. Lamar Smith (R-Texas), who is the committee chairman. “The FDIC’s intent to evade congressional oversight is a serious offense. Major improvements need to be made to the FDIC’s cybersecurity mechanisms.”
The committee held a hearing on Jul. 14, during which FDIC Chairman Martin Gruenberg and Acting Inspector General Fred Gibson testified. Gruenberg repeatedly said he didn’t know of staff efforts to conceal the intrusions, according to a Reuters report. In his prepared remarks, Gruenberg outlined steps the FDIC follows for managing cybersecurity, including: identifying higher-risk assets, such as certain hardware, software and data so that they receive more attention when designing cybersecurity protections; developing and implementing safeguards to limit or contain a breach; and taking appropriate actions when a security breach is detected.
Security breaches aren’t new to government agencies. The Fed has identified more than 50 breaches between 2011 and 2015, with some being characterized as espionage, according to a recent Reuters report citing Fed records. In March, criminals reportedly stole money from Bangladesh central bank’s account at the New York Federal Reserve and diverted $81 million to banks in the Philippines. And, on Feb. 9—the same day the IRS announced an attack on its Website—President Barack Obama announced a cybersecurity national action plan to address near- and long-term strategies to protect consumer privacy, promote cybersecurity awareness among consumers and to maintain economic and national security, among other measures.