A scathing congressional report released on Wednesday found the Federal Deposit Insurance Corporation (FDIC) responsible for committing numerous security breaches while attempting to cover-up the incidents by misleading Congress. Besides FDIC employees allegedly stealing the personal data of hundreds of thousands of individuals, the congressional report also accused the Chinese government of penetrating FDIC computers belonging to top agency officials, including the former Chairman and the former Chief of Staff.
According to the House of Representative’s Science, Space, and Technology Committee’s report on the FDIC’s cybersecurity, several FDIC employees have recently been responsible for “accidentally” copying the personal data and banking information of more than 160,000 individuals onto personal storage devices. None of those security breaches were initially reported to the committee.
In September 2015, a disgruntled FDIC employee in New York left her job with “a portable USB device containing sensitive resolution plans, commonly known as living wills, sensitive banking information, and the social security numbers of 28,000 – 30,000 individuals.” Instead of reporting the breach to Congress, the FDIC merely referenced the incident in their annual internal report.
Besides failing to report employee security breaches to Congress, the FDIC has also been accused of misrepresenting facts while obstructing investigations into the breaches. The committee also found FDIC Chief Information Officer Lawrence Gross “has created a toxic work environment, misled Congress, and retaliated against whistleblowers.”
According to the report, Gross removed an official from his position for disagreeing with him regarding the CIO’s failure to report a Florida security breach to Congress. While claiming to have taken steps to prevent further breaches, Gross has reportedly done very little to minimize the use of portable storage devices and has implemented a laptop initiative against the advice of his cybersecurity experts.
In October 2010, the FDIC’s Division of Information Security discovered “an FDIC employee’s desktop computer had been compromised by an advanced persistent threat” believed to have been sent by the Chinese government. Although the report does not offer any evidence of China’s involvement, the committee learned 12 workstations were compromised and ten FDIC servers were penetrated by a malicious virus, including computers belonging to the former Chairman, the former Chief of Staff, and the former General Counsel of the agency.
Although the FDIC OIG issued a report in 2013 “finding that the FDIC computer system – even the former Chairwoman’s computer – had been hacked by a foreign government, likely the Chinese,” former CIO Russ Pittman allegedly instructed employees not to report the breach in order to avoid negatively impacting the outcome of FDIC Chairman Martin Gruenberg’s confirmation by the U.S. Senate.
Gruenberg is scheduled to testify on Thursday before the committee regarding the agency’s recent breaches and disturbing lack of cybersecurity.