A scathing congressional report points the finger at hackers sponsored by the Chinese government for their role in a series of hacks against the U.S. Federal Deposit Insurance Corp. (FDIC). The report also alleges the agency covered up the hacks in order to guarantee the appointment of current chairman Martin J. Gruenberg.
The report from the Republican members of the Committee on Science, Space and Technology comes a day ahead of tomorrow’s full committee hearing, scheduled for 10 a.m. EST.
The FDIC’s overall security posture is being questioned in the aftermath of the report, which describes a litany of breaches that exposed personally identifiable information and incidents involving insiders that exposed sensitive information.
The report discloses three separate attacks—in 2010, 2011 and 2013—that the committee attributes to the Chinese government. The first attack described in the report was disclosed in October 2010 following the compromise of an FDIC employee’s desktop by “an advanced persistent threat.” The report alleges that the same APT compromised FDIC computers twice more by 2013.
“In essence, a foreign government penetrated FDIC’s computes and the workstations of high-level agency officials, including the former Chairman, the former Chief of Staff and the former General Counsel of the agency,” the report says. “In all, twelve workstations were compromised and ten FDIC servers were penetrated and infected by a virus created by the hacker.”
The report also alleges that former chief information officer Russ Pittman told underlings not to discuss the hacks so as not to effect the Senate confirmation of Gruenberg as chairman.
“There was a concern that if news got out about the foreign government hack, Mr. Gruenberg’s confirmation to the position of Chairman may be jeopardized,” the report says. “This is one earlier example of the current pattern observed by the Committee of concealing information from Congress. The American people and the FDIC employees have a right to know their PPI and sensitive banking information is being actively protected.”
The report also accuses the FDIC of misrepresenting other breaches to staff, claiming that breaches were not malicious when the opposite was true. Once case stemmed from a September 2015 breach in New York where a disgruntled employee failed to return a USB storage device upon her termination. The device contained living wills, Social Security numbers and other personal data of as many as 30,000 people. The breach was not reported to Congress.
An October 2015 breach involved an FDIC employee who copied PII belonging to 10,000 people onto a portable storage device prior to leaving his job. The breach, as it turned out, affected more than 71,000 people and banks, and the employee not only downloaded and took PII, but also downloaded sensitive banking reports and tax files. The report says the FDIC misrepresented the employee’s intent, that he was trying to download family photos when the PII was put onto the device, and that he was not computer proficient. The truth, according to the report, was that the employee had created separate folders on the device for personal files and for FDIC materials with each FDIC file labeled with bank names and data types. “This demonstrates an understanding of computers, information downloads and storage—not the work of a novice computer user,” the report said.
The report—and tomorrow’s hearing—figure to further shine a harsh light on the FDIC’s security capabilities.