Congress hits FDIC cyber breach that ‘boggles the mind’
A series of cybersecurity incidents at the federal office safeguarding bank deposits has seriously shaken the confidence of House members who were dismayed by agency testimony Thursday.
Lawrence Gross, the Federal Deposit Insurance Corp.’s chief information and chief privacy officer, was called before the panel to explain the removal of sensitive electronic data by employees. Members also accused the agency of obstructing a congressional investigation into the cyber-issues.
The House Science, Space and Technology oversight subcommittee also sought more information on a sophisticated cybertheft of FDIC data that subcommittee Chairman Barry Loudermilk (R-Ga.) said was likely done by the Chinese.
Since October, a series of violations by seven employees as they were leaving the agency, including five cases The Post reported earlier this week, resulted in the breach of personal information belonging to more than 160,000 individuals, according to Loudermilk.
“To date, FDIC has failed to notify any of those individuals that their private information may have been compromised,” he added. An FDIC spokesperson confirmed they have not been notified and said “we are going to offer credit monitoring” to the affected individuals. The information includes names, bank account numbers and possibly Social Security numbers in some cases.
The seven apparently unrelated violations occurred “inadvertently,” according to Gross when the staffers downloaded their own information from work computers as they were resigning from the agency.
Republicans and Democrats were incredulous.
“I have a hard time understanding how you can inadvertently download 10,000 customer records,” Rep. Don Beyer (Va.), the ranking Democrat on the subcommittee, told Gross. Ten thousand was the low end. One case involved 49,000 records. Gross’s contention that the former employees “were not computer proficient” only made matters worse.
This, Beyer said, “boggles the mind.”
Rep. Darin LaHood (R-Ill.) was troubled by Gross’s attitude toward the breaches, which the congressman called “dismissive” and “nonchalant.”
He focused on one case where a former employee denied taking data from the agency and even said she did not know what an external hard drive is. Yet, the former staffer, who went to work for a financial services firm owned by a company based in Bangalore, India, eventually provided the drive to FDIC after government lawyers told her attorney she could face criminal penalties.
Nonetheless, Gross stood by his contention that the former staffer was not adversarial.
Fred W. Gibson Jr., FDIC’s acting inspector general, disagreed with that assessment. He also said one case, which he would not identify, is the subject of a criminal investigation. Gibson said labeling the employee breaches “inadvertent,” as Gross has done, could make it harder to prosecute employees who took agency data home.
Loudermilk and others chided FDIC for not quickly reporting the breaches to Congress as “major incidents” and not providing the committee with all requested documents.
Accusing FDIC of “a pattern of obstruction,” Rep. Lamar Smith, chairman of the full panel, said “if not for the Office of Inspector General’s openness and transparency with the committee, we would not have been aware of the agency’s attempts to avoid providing a full and complete response to the committee. The FDIC’s repeated efforts to conceal information from Congress are inexcusable.”
Gross said the agency has been responsive to committee demands. His “initial judgment” was the incidents were not serious enough to be labeled major. “I judged the risk of harm to be very low,” he said.
After review by the inspector general’s office, however, he reversed that determination and expedited notification to Congress. Congress would have been notified in any case, he said, adding it was just a matter of timing.
Loudermilk also pressed agency officials on a sophisticated cybertheft from a foreign power, “supposedly China,” that hit FDIC computers, including one used by the former agency head, during 2010 and 2011.
A 2013 inspector general’s report said FDIC’s division of information technology managers “breached their duties in their handling of this incident” when they “elected not to report, or to underreport, information regarding the incident over an extended period of time.”
Gibson said his office is conducting two audits related to cyberbreaches. One is examining how FDIC identifies and reports major security incidents. The other is assessing agency controls for mitigating the risk of an unauthorized release of sensitive information from financial institutions.
Loudermilk also plans to continue the committee’s probe into FDIC cybersecurity problems.
Gross’s testimony, he said, point to “significant security vulnerabilities,” at an agency where officials are “either incompetent or … naïve.”