Congressional Committee Report Finds Something Rotten at FDIC

...

Officials at the United States Federal Deposit Insurance Corporation, which insures deposits in U.S. banks, made false statements to Congress and failed to make timely notification of serious cybersecurity breaches, according to a U.S. House of Representatives Committee on Science, Space and Technology's interim staff report.

FDIC CIO Lawrence Gross has created a toxic work environment, misled Congress, and retaliated against whistle-blowers, the report claims.

The FDIC deliberately evaded congressional oversight, it also says, further noting that the agency has a history of cybersecurity deficiencies that continue into the present.

"The FDIC effectively controls the finances of the country," observed Rob Enderle, principal analyst at the Enderle Group.

"Every U.S. company and every U.S. citizen is at risk if the FDIC fails. I don't think there's any possibility of overstating how bad this is," he told the E-Commerce Times.

The FDIC has experienced seven major cybersecurity breaches, starting in 2010, according to the interim report.

FDIC Chairman Martin Gruenberg in 2013 got a memo from the agency's then inspector general, which included notification of an advanced persistent threat, probably from the Chinese government, compromising an FDIC employee's desktop computer in October 2010, according to the committee report. The memo reportedly noted that the same threat had compromised FDIC computers in 2011 and 2013.

FDIC Chairman Gruenberg testified that the FDIC's IT department did not fully inform him or other members of the agency's board and senior executives about the breaches in 2010 and 2011.

"This kind of thing is far more common in firms and government organizations than most realize," said Enderle noted. "Typically, however, the top executive is still held accountable."

Gruenberg earlier this year notified committee Chairman Lamar Smith about a breach that took place in Florida last fall, saying that an employee leaving the FDIC inadvertently had downloaded sensitive information onto a thumb drive -- including customer data for over 10,000 individuals -- and taken it away.

The committee since has learned that the employee had downloaded more than 100,000 files, impacting more than 40,000 individuals and almost 31,000 banks and other entities.

The FDIC earlier this year notified the committee that an employee had obtained sensitive data of 44,000 individuals before leaving the agency. This spring, it retroactively reported five additional major breaches, including one in which a retiring employee took three portable storage devices containing nearly 50,000 individuals' personal data.

In all, sensitive personal information of nearly 160,000 individuals likely was exposed, according to the committee report.

The FDIC decided to offer credit monitoring to the breaches' victims this spring, following a hearing by the Oversight Subcommittee.

"The fact that a quasi-government agency let this go on -- didn't report breaches, didn't react to them and didn't notify consumers -- is terrible," he told the E-Commerce Times.

"For an organization that oversees the banking sector to be hacked and react like this is completely unacceptable," MacGregor emphasized.

The committee's allegations "showcase a level of mismanagement that should result in criminal charges for the CIO who put the nation at risk to protect their negligence," suggested Enderle.

"This was likely due to the fact that security was underfunded, which put that CIO between a rock and a hard place, but they should have resigned and disclosed the breaches. [Blame] should also flow to Congress, because they have been repeatedly warned that their tendency to underfund security is putting the nation at high risk," he said.

The problem is, "we punish the folks who were given an ugly choice but not those that put them there, Enderle added."

"There's always a degree of high drama when these kinds of things are aired in a public forum, but the threat is real," noted Mike Jude, a program manager at Stratecast/Frost & Sullivan.

The revelations are "especially troubling since we're on the verge of an Internet of Things," he told the E-Commerce Times. "Potentially every system, service and device will be network-connected and potentially vulnerable to attack."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Categories
Guide
0 Comment

Leave a Reply

Captcha image


RELATED BY

  • 5300c769af79e

    4 Trends In 2017 That Every Developer Needs To Understand

    Developers need to be ready for the opportunities that quantum computing, big data, and mixed reality might bring to all computing sectors, including commercial computing, in 2017.Artificial intelligence, virtual reality, and quantum computing teeter on the brink of mainstream.
  • 5300c769af79e

    8 Productivity Tools Road Warriors Need

    Life on the road means freedom and travel, but also the need for a solid arsenal of apps, power packs, mobile hotspots and other items to keep you productive.This is why we've included portable external chargers for both notebooks and smaller mobile devices in our roundup.
  • 5300c769af79e

    OnePlus 5 Specs (Official)

    The OnePlus 5 has now been officially revealed and so we now have the official specs list.It’s pretty loaded, that’s for sure, but that means it has a price tag to match.
  • 5300c769af79e

    Built-in thermal imaging gives Cat’s S60 smartphone superpowers

    Caterpillar is better known for making bulldozers and backhoes than smartphones, so it goes without saying that the new Cat S60 is not your typical phone.It’s the world’s first smartphone with an embedded thermal camera, which opens the door to countless applications.