Lawmakers Criticize FDIC Cybersecurity Policies
Since October 2015, the FDIC has disclosed to Congress seven breaches, potentially exposing sensitive personal information of nearly 160,000 Americans, lawmakers said during a House Science, Space and Technology Committee subcommittee hearing. But lawmakers suggested that was only part of the picture.
“The breaches reported to Congress represent only those that the agency has deemed ‘major,’” said committee Chairman Rep. Lamar Smith (R., Texas). “In reality, the FDIC likely has experienced additional breaches deemed insufficient by the agency to warrant reporting to Congress.”
Thursday’s hearing focused on two of the major breaches that occurred within the past seven months—one in February 2016 and the other in October 2015, compromising personal data of 44,000 bank customers and 10,000 bank customers, respectively.
This week, the FDIC retroactively reported five additional major breaches to the committee. One of those instances included an employee who retired from the FDIC and took three portable storage devices containing the personal information of more than 49,000 individuals.
It also comes a day after the agency’s inspector general released a 2013 report showing that cybercriminals hacked into nearly 100 computers at the FDIC, stealing bank customers’ personal information. The breaches, which occurred between 2010 and 2011, included a dozen computers used by FDIC executives, including Sheila Bair, who was the agency’s chairwoman at the time.
Cybersecurity increasingly has been an issue for the federal government. In June, the U.S. Office of Personnel Management disclosed it lost 4.2 million personnel records as part of at least two cyberattacks in 2014. The number of cybersecurity incidents reported by federal agencies climbed last year, even as officials have tried to clamp down on governmentwide information-technology vulnerabilities.
“Unfortunately, the FDIC is failing to live up to its mission of maintaining public confidence in the nation’s financial system because the agency is failing to safeguard private banking information for millions of Americans who rely on FDIC,” said Rep. Barry Loudermilk, (R., Ga.) chairman of the oversight subcommittee.
In April, the committee sent a letter to the FDIC asking the agency to provide more information about the February breach, and any others at the agency since 2009. Less than two weeks later, the committee sent a separate letter to the agency concerning the October breach.
“The American people have good reason to question whether their private banking information is properly secured by the FDIC,” said Mr. Loudermilk.
FDIC Chief Information Officer Lawrence Gross said the agency is taking steps to better defend itself against cyberattacks, including eliminating the use of portable storage devices like flash drives or CDs by employees. The agency is also upgrading software to better protect sensitive information and undertaking a review of all security policies for all departing employees, he said.
“The FDIC takes very seriously cybersecurity, incident management, and transparency as it relates to our reporting requirements and remains committed to maintaining a robust IT security program that ensures a real-time current view of our situational awareness,” Mr. Gross said in prepared testimony.
The February incident occurred when an employee who was leaving the agency downloaded data to a personal storage device “inadvertently and without malicious intent,” the inspector general’s report said. An FDIC probe concluded that no sensitive information was “disseminated or compromised,” according to an internal memo sent to FDIC Chairman Martin Gruenberg in March.
Mr. Gross told lawmakers based on his assessment of the February incident, he “judged the risk of harm to be very low.” But the agency’s Office of Inspector General reviewed the case and recommended it be reported to Congress as a “major incident.”
“Although our interpretations differed, we nevertheless gave such notification to Congress,” Mr. Gross said in his prepared testimony.
He also directed staff to retroactively identify any incidents that would meet the inspector general’s interpretation of “major incident.”
The former employee, who hasn’t been identified, previously worked on bank closings. Data in files the employee downloaded included names, addresses and Social Security numbers.