Yet, while the public’s trust in FDIC is strong, a series of incidents threaten to undermine confidence in the agency’s cybersecurity system. The personal information of American taxpayers has been jeopardized.
Even the workstation of a former agency chairwoman was among almost 100 computers or servers hit during sophisticated attacks in 2010 and 2011, according to a previously undisclosed FDIC Office of Inspector General (OIG) report.
The 2013 OIG document, labeled “Confidential Investigative Material – For Official Use Only,” said an “advanced persistent threat . . . penetrated over 90 workstations or servers with specialized tools that ultimately allowed the creation of valid administrator accounts providing full access” to FDIC information technology.
Evidence indicates the cyberthieves “exported data from FDIC machines to servers outside the FDIC network. Twelve of the infected computers were those of FDIC executives.” The report did not identify the chairperson or the other executives by name, but Sheila Bair was chair from June 2006 until July 8, 2011. The report was addressed to the current chairman, Martin J. Gruenberg, who succeeded Bair.
The OIG also was critical of FDIC’s division of information technology, which “violated its own policies and procedures for handling computer security incidents and did so deliberately.”
Also hit were email servers and the personal network drives of OIG employees containing personal health-care information and other “personally identifiable information,” which often refers to names and Social Security numbers.
The report will be among the topics at a House Science, Space and Technology Committee hearing Thursday. Lawrence Gross Jr., FDIC’s chief information and chief privacy officer, and Fred W. Gibson, the agency’s acting inspector general, also likely will be quizzed about a series of separate and apparently inadvertent cyber-breaches committed by former staffers as they were leaving the agency.
This week, The Washington Post disclosed five “major incidents” of FDIC cybersecurity breaches since Oct. 30. In those cases, five departing employees each used personal storage devices to download sensitive customer information of 10,000 to more than 49,000 individuals. In every case the downloads were done “without malicious intent,” according to a May 9 memorandum from Gross to Gruenberg obtained by The Post.
Though FDIC found no malicious intent, the case involving more than 49,000 records was the only one where the original personal storage device was destroyed before it could be recovered by FDIC. Furthermore, information was copied to another device by the former staffer who could not provide a receipt confirming the destruction of the first device by a hardware disposal company.
In another case not among the five, a Gainesville, Fla., Bank Secrecy Act specialist, who resigned in October, downloaded Social Security numbers and customer bank data to a Western Digital external drive. A Dec. 2 letter to the former employee’s lawyer from FDIC said the staffer repeatedly told officials she did not download any data to a personal device.
Despite the former employee’s claims, “the FDIC ultimately recovered the USB drive from the employee,” according to a Feb. 19 memo from Mark F. Mulholland, an assistant inspector general, to Gross.
Committee Chairman Lamar Smith (R-Tex.) told Gruenberg, the FDIC chairman, in an April 20 letter that the panel “remains concerned that the FDIC does not have the necessary controls in place to prevent and respond appropriately to security breaches.”
Barbara Hagenbaugh, a FDIC spokeswoman, responded: “We have taken a number of significant steps in recent years to strengthen the FDIC’s information security program and we are continuously working to address emerging threats.”
Following the 2013 report, Gibson said “the agency created a senior level forum to address cyber-security matters; realigned the roles and responsibilities of the Chief Information Officer, the Chief Information Security Officer and the Information, Security and Privacy staff; modified other processes and procedures; and took other steps to remediate” the advanced persistent threat.
All that apparently is not enough.
Referring to the October download by a former employee, Smith’s April 20 letter to Gruenberg noted that FDIC did not retrieve the personal device with agency information for more than six weeks.
This, Smith said, “raises serious questions about the FDIC’s cybersecurity posture and preparedness to appropriately minimize damage in the aftermath of a breach.”