A report published by the House Committee on Science, Space and Technology today found that hackers purported to be from China had compromised computers at the Federal Deposit Insurance Corporation repeatedly between 2010 and 2013. Backdoor malware was installed on 12 workstations and 10 servers by attackers—including the workstations of the chairman, chief of staff, and general counsel of the FDIC. But the incidents were never reported to the US Computer Emergency Response Team (US-CERT) or other authorities and were only brought to light after an Inspector General investigation into another serious data breach at the FDIC in October of 2015.
The FDIC failed at the time of the “advanced persistent threat” attacks to report the incidents. Then-inspector general at the FDIC, Jon Rymer, lambasted FDIC officials for failing to follow their own policies on breach reporting. Further investigation into those breaches led the committee to conclude that former FDIC CIO Russ Pittman misled auditors about the extent of those breaches and told employees not to talk about the breaches by a foreign government so as not to ruin FDIC Chairman Martin Gruenberg’s chances of confirmation.
The cascade of bad news began with an FDIC Office of the Inspector General (OIG) investigation into the October “Florida incident.” On October 23, 2015, a member of the Federal Deposit Insurance Corporation’s Information Security and Privacy Staff (ISPS) discovered evidence in the FDIC’s data loss prevention system of a significant breach of sensitive data—more than 1,200 documents, including Social Security numbers from bank data for more than 44,000 individuals and 30,715 banks, were copied to a USB drive by a former employee of FDIC’s Risk Management Supervision field office in Gainesville, Florida. The employee had copied the files prior to leaving his position at the FDIC. Despite intercepting the employee, the actual data was not recovered from him until March 25, 2016. The former employee provided a sworn statement that he had not disseminated the information, and the matter was dropped.
However, Gruenberg told Science, Space and Technology Committee Chairman Rep. Lamar Smith (R-Texas) in a February letter about the breach that only about 10,000 “individuals and entities” were affected by the leak and that the former employee was cooperative. That claim was contradicted by the FDIC’s Office of the Inspector General after it used that breach for an audit of the FDIC’s security processes—indicating that the actual number was several times larger and that there were other breaches that had not been reported. One of those was a similar breach in September when a disgruntled employee in New York left with a USB drive containing the SSNs of approximately 30,000 people. That breach had been glossed over by the FDIC’s CIO, Lawrence Gross, and had only been mentioned in an annual Federal of Information Security Management Act (FISMA) report, despite its classification as a “major” breach. This was in addition to a similar, reported breach in February when another departing employee in Texas “inadvertently and without malicious intent” downloaded 44,000 records.
Then in May, the FDIC “retroactively reported five additional major breaches” to the committee, according to the report. Only after a Congressional hearing on those breaches did the FDIC offer credit monitoring services to the more than 160,000 individuals whose personal information was included in the data leaked.
The committee’s report accuses Gross—who took over in 2015 after former FDIC CIO Barry West disappeared on “administrative leave” in June of last year for unknown reasons—of creating a “toxic workplace” for FDIC’s IT team and of sabotaging efforts to improve the agency’s security footing. Nearly 50 percent of FDIC employees can use portable storage devices such as USB drives or portable disk drives, and the only thing assuring the FDIC that data was not being disseminated by former employees are signed affidavits. Gross is also the driving force behind an initiative to purchase 3,000 laptops for FDIC employees, arguing that laptops are more secure than desktops.