A recently released congressional report blames hackers backed by the Chinese government for cyber attacks targeted at the FDIC. The report goes on to accuse the agency of covering up these attacks in order to expedite the appointment of Martin J. Gruenberg, the current commissioner.
The report comes from the republican officials on the Committee on Science, Space and Technology. The committee met on July 14th to discuss a rash of security concerns involving the FDIC and the protection of sensitive data.
Chinese attackers are accused of targeting the agency on three separate occasions. The first incident occurred in October 2010 and involved an “advanced persistent threat” found on a staff computer. The same threat was identified again in 2011 and 2013.
In total, 12 FDIC computers were infected with the threat along with 10 servers. Some of the most senior members of the agency were singled out. The report reveals that “In essence, a foreign government penetrated FDIC’s computes and the workstations of high-level agency officials, including the former Chairman, the former Chief of Staff and the former General Counsel of the agency,”
Given the FDIC’s role in finance and banking, the agency is in possession of huge repositories of sensitive information. The most valuable data is classified as personally identifiable information (PII) since it can be used to identify individuals out of otherwise anonymous data sets.
The most damning aspects of the report go on to accuse the FDIC of covering up the security breaches and willfully putting the sensitive information at risk. “There was a concern that if news got out about the foreign government hack, Mr. Gruenberg’s confirmation to the position of Chairman may be jeopardized,” the report says.
In addition to external threats, the FDIC has grappled with internal lapses in cyber security in recent years. A major data breach occurred in September 2015 when a disgruntled employee was terminated from the agency and failed to return a USB storage device that contained the social security numbers, living wills, and other PII of 30,000 Americans. Officials from the FDIC did not report this incident to Congress, and the fate of the data is unknown.
In a separate incident, an employee copied PII for 10,000 people prior to quitting his job. The incident was reported, but the FDIC blamed it on human error rather than criminal intent. That claim was refuted when it was revealed that the stored data was carefully organized and cataloged rather than carelessly copied. Included in the data were banking reports and tax files.