Congressional Committee Report Finds Something Rotten at FDIC


Officials at the United States Federal Deposit Insurance Corporation, which insures deposits in U.S. banks, made false statements to Congress and failed to make timely notification of serious cybersecurity breaches, according to a U.S. House of Representatives Committee on Science, Space and Technology's interim staff report.

FDIC CIO Lawrence Gross has created a toxic work environment, misled Congress, and retaliated against whistle-blowers, the report claims.

The FDIC deliberately evaded congressional oversight, it also says, further noting that the agency has a history of cybersecurity deficiencies that continue into the present.

"The FDIC effectively controls the finances of the country," observed Rob Enderle, principal analyst at the Enderle Group.

"Every U.S. company and every U.S. citizen is at risk if the FDIC fails. I don't think there's any possibility of overstating how bad this is," he told the E-Commerce Times.

The FDIC has experienced seven major cybersecurity breaches, starting in 2010, according to the interim report.

FDIC Chairman Martin Gruenberg in 2013 got a memo from the agency's then inspector general, which included notification of an advanced persistent threat, probably from the Chinese government, compromising an FDIC employee's desktop computer in October 2010, according to the committee report. The memo reportedly noted that the same threat had compromised FDIC computers in 2011 and 2013.

FDIC Chairman Gruenberg testified that the FDIC's IT department did not fully inform him or other members of the agency's board and senior executives about the breaches in 2010 and 2011.

"This kind of thing is far more common in firms and government organizations than most realize," said Enderle noted. "Typically, however, the top executive is still held accountable."

Gruenberg earlier this year notified committee Chairman Lamar Smith about a breach that took place in Florida last fall, saying that an employee leaving the FDIC inadvertently had downloaded sensitive information onto a thumb drive -- including customer data for over 10,000 individuals -- and taken it away.

The committee since has learned that the employee had downloaded more than 100,000 files, impacting more than 40,000 individuals and almost 31,000 banks and other entities.

The FDIC earlier this year notified the committee that an employee had obtained sensitive data of 44,000 individuals before leaving the agency. This spring, it retroactively reported five additional major breaches, including one in which a retiring employee took three portable storage devices containing nearly 50,000 individuals' personal data.

In all, sensitive personal information of nearly 160,000 individuals likely was exposed, according to the committee report.

The FDIC decided to offer credit monitoring to the breaches' victims this spring, following a hearing by the Oversight Subcommittee.

"The fact that a quasi-government agency let this go on -- didn't report breaches, didn't react to them and didn't notify consumers -- is terrible," he told the E-Commerce Times.

"For an organization that oversees the banking sector to be hacked and react like this is completely unacceptable," MacGregor emphasized.

The committee's allegations "showcase a level of mismanagement that should result in criminal charges for the CIO who put the nation at risk to protect their negligence," suggested Enderle.

"This was likely due to the fact that security was underfunded, which put that CIO between a rock and a hard place, but they should have resigned and disclosed the breaches. [Blame] should also flow to Congress, because they have been repeatedly warned that their tendency to underfund security is putting the nation at high risk," he said.

The problem is, "we punish the folks who were given an ugly choice but not those that put them there, Enderle added."

"There's always a degree of high drama when these kinds of things are aired in a public forum, but the threat is real," noted Mike Jude, a program manager at Stratecast/Frost & Sullivan.

The revelations are "especially troubling since we're on the verge of an Internet of Things," he told the E-Commerce Times. "Potentially every system, service and device will be network-connected and potentially vulnerable to attack."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Revo Uninstaller (for PC)

    Now boasting full 64-bit Windows 10 compatibility, Revo Uninstaller works well but lacks features found in IObit Uninstaller, our Editors' Choice for free uninstaller utilities.Taking Out the TrashUninstalling apps is a breeze with Revo Uninstaller.
  • 5300c769af79e

    Weekly rewind: Wearable keyboards, electric jets, Ephemeral tats, and more

    Get ready to change the way you type with this amazing wearable keyboard In the near future, you may not need to touch your phone, tablet, or keyboard when you want to type.That’s the concept behind the Tap Strap, an amazing wearable Bluetooth keyboard that converts finger movements into key presses, so you can tap out messages using any surface as a virtual keyboard.
  • 5300c769af79e

    Bluetooth 5 Bringing Double Range, Quadruple Speed

    The underground marketplace is booming and only getting bigger, more sophisticated, and competitiv Next week marks the formal debut of Bluetooth 5, which will double the range and quadruple the speed of the wireless standard.The goal of these improvements is to accelerate industries such as industrial automation, smart infrastructure, smart homes, and location-based services.
  • 5300c769af79e

    It Took Motorola Two Years to Develop Moto Mods, Reminds Developers About MDK

    For third-party hardware developers, the Moto Mods platform creates a unique opportunity to bring a new experience to a built-in audience of Moto Z device owners.With that being said, Motorola is reminding all third-party developers (software and hardware) that made its MDK (Moto Mods Development Kit) is available for purchase in the US.