Congressional Committee Report Finds Something Rotten at FDIC

...

Officials at the United States Federal Deposit Insurance Corporation, which insures deposits in U.S. banks, made false statements to Congress and failed to make timely notification of serious cybersecurity breaches, according to a U.S. House of Representatives Committee on Science, Space and Technology's interim staff report.

FDIC CIO Lawrence Gross has created a toxic work environment, misled Congress, and retaliated against whistle-blowers, the report claims.

The FDIC deliberately evaded congressional oversight, it also says, further noting that the agency has a history of cybersecurity deficiencies that continue into the present.

"The FDIC effectively controls the finances of the country," observed Rob Enderle, principal analyst at the Enderle Group.

"Every U.S. company and every U.S. citizen is at risk if the FDIC fails. I don't think there's any possibility of overstating how bad this is," he told the E-Commerce Times.

The FDIC has experienced seven major cybersecurity breaches, starting in 2010, according to the interim report.

FDIC Chairman Martin Gruenberg in 2013 got a memo from the agency's then inspector general, which included notification of an advanced persistent threat, probably from the Chinese government, compromising an FDIC employee's desktop computer in October 2010, according to the committee report. The memo reportedly noted that the same threat had compromised FDIC computers in 2011 and 2013.

FDIC Chairman Gruenberg testified that the FDIC's IT department did not fully inform him or other members of the agency's board and senior executives about the breaches in 2010 and 2011.

"This kind of thing is far more common in firms and government organizations than most realize," said Enderle noted. "Typically, however, the top executive is still held accountable."

Gruenberg earlier this year notified committee Chairman Lamar Smith about a breach that took place in Florida last fall, saying that an employee leaving the FDIC inadvertently had downloaded sensitive information onto a thumb drive -- including customer data for over 10,000 individuals -- and taken it away.

The committee since has learned that the employee had downloaded more than 100,000 files, impacting more than 40,000 individuals and almost 31,000 banks and other entities.

The FDIC earlier this year notified the committee that an employee had obtained sensitive data of 44,000 individuals before leaving the agency. This spring, it retroactively reported five additional major breaches, including one in which a retiring employee took three portable storage devices containing nearly 50,000 individuals' personal data.

In all, sensitive personal information of nearly 160,000 individuals likely was exposed, according to the committee report.

The FDIC decided to offer credit monitoring to the breaches' victims this spring, following a hearing by the Oversight Subcommittee.

"The fact that a quasi-government agency let this go on -- didn't report breaches, didn't react to them and didn't notify consumers -- is terrible," he told the E-Commerce Times.

"For an organization that oversees the banking sector to be hacked and react like this is completely unacceptable," MacGregor emphasized.

The committee's allegations "showcase a level of mismanagement that should result in criminal charges for the CIO who put the nation at risk to protect their negligence," suggested Enderle.

"This was likely due to the fact that security was underfunded, which put that CIO between a rock and a hard place, but they should have resigned and disclosed the breaches. [Blame] should also flow to Congress, because they have been repeatedly warned that their tendency to underfund security is putting the nation at high risk," he said.

The problem is, "we punish the folks who were given an ugly choice but not those that put them there, Enderle added."

"There's always a degree of high drama when these kinds of things are aired in a public forum, but the threat is real," noted Mike Jude, a program manager at Stratecast/Frost & Sullivan.

The revelations are "especially troubling since we're on the verge of an Internet of Things," he told the E-Commerce Times. "Potentially every system, service and device will be network-connected and potentially vulnerable to attack."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Categories
Guide
0 Comment

Leave a Reply

Captcha image


RELATED BY

  • 5300c769af79e

    BlackBerry Lets Go of Its Classic Phone

    The company reportedly is working on three new Android phones, codenamed "Neon," "Argon" and "Mercury," and expects to release one every quarter.However, it's "a good phone," he maintained, and he currently uses it himself.
  • 5300c769af79e

    Productivity & Collaboration Apps News, Analysis, & Advice

    Jessica DavisBy Senior Editor, Enterprise Apps, 4/21/2016ReadPost a Comment Skype users on Apple's Mac machines and the Web can now interact with bots from Microsoft.Kelly SheridanBy Associate Editor, InformationWeek, 4/19/2016ReadPost a Comment This is a great rundown of email apps.
  • 5300c769af79e

    Agile Infrastructure Monitoring for the Application Economy

    You're seeing the impact of this in your organization---from the increased expectations of customers for access to always-available applications, to internal departments and teams that depend on a reliable infrastructure to support fast application development and deployment.Against a backdrop of growing big data initiatives, this situation significantly adds to your infrastructure management requirements.
  • 5300c769af79e

    LG V20 Will be Announced on September 6

    The LG V20, LG’s next flagship phone that will also be the first phone to run Android Nougat out of the box, will be unveiled on September 6 at an event in San Francisco.LG announced the news via its “social” blog without mentioning other details, outside of a “second story begins” theme that is in reference to this being the 2nd “V” phone.