Officials at the United States Federal Deposit Insurance Corporation, which insures deposits in U.S. banks, made false statements to Congress and failed to make timely notification of serious cybersecurity breaches, according to a U.S. House of Representatives Committee on Science, Space and Technology’s interim staff report.
FDIC CIO Lawrence Gross has created a toxic work environment, misled Congress, and retaliated against whistle-blowers, the report claims.
The FDIC deliberately evaded congressional oversight, it also says, further noting that the agency has a history of cybersecurity deficiencies that continue into the present.
“The FDIC effectively controls the finances of the country,” observed Rob Enderle, principal analyst at the Enderle Group.
“Every U.S. company and every U.S. citizen is at risk if the FDIC fails. I don’t think there’s any possibility of overstating how bad this is,” he told the E-Commerce Times.
The FDIC has experienced seven major cybersecurity breaches, starting in 2010, according to the interim report.
FDIC Chairman Martin Gruenberg in 2013 got a memo from the agency’s then inspector general, which included notification of an advanced persistent threat, probably from the Chinese government, compromising an FDIC employee’s desktop computer in October 2010, according to the committee report. The memo reportedly noted that the same threat had compromised FDIC computers in 2011 and 2013.
FDIC Chairman Gruenberg testified that the FDIC’s IT department did not fully inform him or other members of the agency’s board and senior executives about the breaches in 2010 and 2011.
“This kind of thing is far more common in firms and government organizations than most realize,” said Enderle noted. “Typically, however, the top executive is still held accountable.”
Gruenberg earlier this year notified committee Chairman Lamar Smith about a breach that took place in Florida last fall, saying that an employee leaving the FDIC inadvertently had downloaded sensitive information onto a thumb drive — including customer data for over 10,000 individuals — and taken it away.
The committee since has learned that the employee had downloaded more than 100,000 files, impacting more than 40,000 individuals and almost 31,000 banks and other entities.
The FDIC earlier this year notified the committee that an employee had obtained sensitive data of 44,000 individuals before leaving the agency. This spring, it retroactively reported five additional major breaches, including one in which a retiring employee took three portable storage devices containing nearly 50,000 individuals’ personal data.
In all, sensitive personal information of nearly 160,000 individuals likely was exposed, according to the committee report.
The FDIC decided to offer credit monitoring to the breaches’ victims this spring, following a hearing by the Oversight Subcommittee.
“Holy cow,” said Jim MacGregor, a principal analyst at Tirias Research.
“The fact that a quasi-government agency let this go on — didn’t report breaches, didn’t react to them and didn’t notify consumers — is terrible,” he told the E-Commerce Times.
“For an organization that oversees the banking sector to be hacked and react like this is completely unacceptable,” MacGregor emphasized.
Who Should Carry the Can
The committee’s allegations “showcase a level of mismanagement that should result in criminal charges for the CIO who put the nation at risk to protect their negligence,” suggested Enderle.
“This was likely due to the fact that security was underfunded, which put that CIO between a rock and a hard place, but they should have resigned and disclosed the breaches. [Blame] should also flow to Congress, because they have been repeatedly warned that their tendency to underfund security is putting the nation at high risk,” he said.
The problem is, “we punish the folks who were given an ugly choice but not those that put them there, Enderle added.”
“There’s always a degree of high drama when these kinds of things are aired in a public forum, but the threat is real,” noted Mike Jude, a program manager at Stratecast/Frost & Sullivan.
The revelations are “especially troubling since we’re on the verge of an Internet of Things,” he told the E-Commerce Times. “Potentially every system, service and device will be network-connected and potentially vulnerable to attack.”