WASHINGTON – Science, Space, and Technology Committee Chairman Lamar Smith (R-Texas) and Oversight Subcommittee Chairman Barry Loudermilk (R-Ga.) today released the following statements in response to the release of two Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) reports on cybersecurity breaches at the FDIC.
One FDIC OIG report outlines the FDIC’s process for identifying and reporting major information security incidents. The report follows what is referred to as the “Florida Incident” in which a former FDIC employee copied a large quantity of sensitive information, including personally identifiable information, to a removable storage device and took this information with them when they departed FDIC. The FDIC OIG found the FDIC failed to follow OMB guidelines for reporting major breaches to Congress. In addition, FDIC did not accurately portray the extent of the risk associated with the Florida Incident.
The second report examines FDIC’s controls for mitigating the risk of an unauthorized release of sensitive resolution plans, or living wills of banks. A former FDIC employee copied three resolution plans onto a USB drive prior to their departure from FDIC. The FDIC OIG found that FDIC’s lack of an insider threat program directly impacted this incident. Again, in this case, the FDIC tried to conceal the true facts from congressional overseers.
Chairman Lamar Smith (R-Texas): “Mismanagement and attempts to cover up cybersecurity breaches negatively affecting hundreds of thousands of taxpayers’ personally identifiable information will not be tolerated. Today's reports by the Inspector General confirm what the committee’s investigation has revealed: the FDIC misrepresented key facts in the incident, including whether the former employee was adversarial and whether the employee downloaded information inadvertently.
“The committee applauds the OIG's extensive audit work on the FDIC's recent cybersecurity breaches. These reports further shed light on the FDIC's culture of misrepresenting and inhibiting information being provided to Congress, its lackluster cybersecurity posture, and its need for substantial improvement to its cybersecurity mechanisms prevent further breaches from occurring. This lack of transparency and accountability is unacceptable, and Americans deserve better from their government. The committee looks forward to hearing explanations from the FDIC Chairman next week regarding the decisions made at the agency and how the chairman plans to move forward in a positive, transparent manner.”
Oversight Subcommittee Chairman Barry Loudermilk (R-Ga.): “Unfortunately, the FDIC is failing to live up to its mission of maintaining public confidence in the nation’s financial system because the agency is failing to safeguard private banking information. During our committee’s investigation, it has become clear that FDIC has a long history of cybersecurity incidents.
“The FDIC OIG found that many of their employees have been storing personal banking information of thousands of Americans. One FDIC employee downloaded a total of 71,069 individuals and entities' information. In total, the employee stored 100,966 files and created two folders on his portable storage device. One of these folders was purposed as a small set of personal files and the another folder solely for FDIC materials, with each of the files conveniently labeled with bank names or with the types of bank data in the files.
“In our hearings and briefings before this committee, factual material of the incident has been misrepresented to the committee and to Congress on numerous occasions. Senior management at the FDIC, and individuals within the chairman's office, including the Deputy to the Chairman, Chief Operating Officer, and Chief of Staff, knew this was a major incident under FISMA as early as December 7, 2015. As evidence of a culture of mismanagement, these senior officials deliberately failed to report the incident and only after the OIG urged the agency to meet its requirement to report the breach to Congress in accordance with OMB requirements did they act to do so. The FDIC reported the incident on February 26, 2016 - over four months after the breach.
“The OIG’s Sensitive Resolution Plans incident report further confirms that the FDIC's lack of an insider threat program had a direct impact on the incident. The former employee had an extensive history of incidents rising to the level of a security risk, which should have sounded internal alarms. The report reveals that this former employee carried out a breach several months prior to the September breach where the employee transmitted unencrypted, sensitive information to two personal e-mail accounts. The former employee then later denied that the activity was prohibited. I plan to continue a thorough oversight of the FDIC, and work with my colleagues to shed light on their culture of mismanagement within the walls of the FDIC, holding agency officials accountable.”