Congressional Committee Report Finds Something Rotten at FDIC


Officials at the United States Federal Deposit Insurance Corporation, which insures deposits in U.S. banks, made false statements to Congress and failed to make timely notification of serious cybersecurity breaches, according to a U.S. House of Representatives Committee on Science, Space and Technology's interim staff report.

FDIC CIO Lawrence Gross has created a toxic work environment, misled Congress, and retaliated against whistle-blowers, the report claims.

The FDIC deliberately evaded congressional oversight, it also says, further noting that the agency has a history of cybersecurity deficiencies that continue into the present.

"The FDIC effectively controls the finances of the country," observed Rob Enderle, principal analyst at the Enderle Group.

"Every U.S. company and every U.S. citizen is at risk if the FDIC fails. I don't think there's any possibility of overstating how bad this is," he told the E-Commerce Times.

The FDIC has experienced seven major cybersecurity breaches, starting in 2010, according to the interim report.

FDIC Chairman Martin Gruenberg in 2013 got a memo from the agency's then inspector general, which included notification of an advanced persistent threat, probably from the Chinese government, compromising an FDIC employee's desktop computer in October 2010, according to the committee report. The memo reportedly noted that the same threat had compromised FDIC computers in 2011 and 2013.

FDIC Chairman Gruenberg testified that the FDIC's IT department did not fully inform him or other members of the agency's board and senior executives about the breaches in 2010 and 2011.

"This kind of thing is far more common in firms and government organizations than most realize," said Enderle noted. "Typically, however, the top executive is still held accountable."

Gruenberg earlier this year notified committee Chairman Lamar Smith about a breach that took place in Florida last fall, saying that an employee leaving the FDIC inadvertently had downloaded sensitive information onto a thumb drive -- including customer data for over 10,000 individuals -- and taken it away.

The committee since has learned that the employee had downloaded more than 100,000 files, impacting more than 40,000 individuals and almost 31,000 banks and other entities.

The FDIC earlier this year notified the committee that an employee had obtained sensitive data of 44,000 individuals before leaving the agency. This spring, it retroactively reported five additional major breaches, including one in which a retiring employee took three portable storage devices containing nearly 50,000 individuals' personal data.

In all, sensitive personal information of nearly 160,000 individuals likely was exposed, according to the committee report.

The FDIC decided to offer credit monitoring to the breaches' victims this spring, following a hearing by the Oversight Subcommittee.

"The fact that a quasi-government agency let this go on -- didn't report breaches, didn't react to them and didn't notify consumers -- is terrible," he told the E-Commerce Times.

"For an organization that oversees the banking sector to be hacked and react like this is completely unacceptable," MacGregor emphasized.

The committee's allegations "showcase a level of mismanagement that should result in criminal charges for the CIO who put the nation at risk to protect their negligence," suggested Enderle.

"This was likely due to the fact that security was underfunded, which put that CIO between a rock and a hard place, but they should have resigned and disclosed the breaches. [Blame] should also flow to Congress, because they have been repeatedly warned that their tendency to underfund security is putting the nation at high risk," he said.

The problem is, "we punish the folks who were given an ugly choice but not those that put them there, Enderle added."

"There's always a degree of high drama when these kinds of things are aired in a public forum, but the threat is real," noted Mike Jude, a program manager at Stratecast/Frost & Sullivan.

The revelations are "especially troubling since we're on the verge of an Internet of Things," he told the E-Commerce Times. "Potentially every system, service and device will be network-connected and potentially vulnerable to attack."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Google Shares a Bunch of New Voice Commands for Your Next Google Maps Adventure

    Through a new blog post, Google is doing its best to make sure you are always getting the most out of one of its greatest apps, Google Maps.The post talks about using voice commands to get you to that next destination, tweak settings, avoid tolls, and even get out of navigation if you just want to look at a map.
  • 5300c769af79e

    Jason Burby, Possible Americas

    As President of the Americas, Jason Burby is responsible for leading the long-term stability and growth of the region.With 20-plus years experience in digital strategy, he is a long-time advocate of using data to inform digital strategies to help clients attract, convert, and retain customers.
  • 5300c769af79e

    Nike SNKRS Update Brings Fingerprint Authentication for Purchasing, Release Widget

    For those who utilize Nike’s SNKRS app to grab the latest launches from The Swoosh, an update is bringing features that might help with a more speedy checkout process.Once the app is updated, users can take advantage of fingerprint authentication when purchasing, allowing you to skip additional security when making a purchase.
  • 5300c769af79e

    Roost Smart Smoke Alarm Takes on Nest

    Available now to pre-order, the RSA-400 and RSA-200 detect smoke, fire, carbon monoxide, and natural gas without breaking the bank.Once synced, users receive smartphone alerts whenever the alarm sounds, whether they're home or away.