Bair Was Target of Undisclosed FDIC Cyber Breach

WASHINGTON — A day before a top Federal Deposit Insurance Corp. official was set to testify about recent cybersecurity breaches, a leaked report shows the agency's troubles are more prevalent than previously known.

The Office of the Inspector General report, published by The Washington Postnoted that the agency had repeatedly failed to disclose serious cyberattacks to the proper authorities and counterparties. This included a long-running malware attack that affected the work computers of top executives, including former Chairman Sheila Bair.

Information technology division management officials "breached their duties in their handling of this incident," former FDIC Inspector General Jon Rymer said in the report, dated May 2013. "As such," the agency "was unduly subjected to increased risk, and actual, unauthorized access to and exfiltration of sensitive data."

The report detailed several failures on the part of the FDIC's chief information officer and information technology staff to evaluate the gravity of the breaches and respond accordingly.

A threat first detected in October 2010 by a former FDIC inspector general office employee eventually infected over 90 workstations, including those of 12 top agency executives. Besides Bair, the agency's former general counsel, chief financial officer and director of the office of international affairs were also targeted.

Though the attack was described by the information technology division as "extremely professional and well crafted," the group failed to properly inform FDIC leadership and other involved parties of the gravity of the threat, according to the report.

In August 2011, after other incidents were detected, Russell Pittman, the head of the FDIC's information technology division, briefed the agency's leadership on the threat. The meeting lasted just about an hour, and documents produced included a Vanity Fair article about Chinese hackers, according to the report.

The FDIC failed in notifying other government entities of the breach as well. It delayed its reporting to the Computer Security Incident Response Team by 21 days, according to the report. And when the agency did inform the response team, the information provided was minimal.

The FDIC also failed to notify U.S. Computer Emergency Readiness Team of the incident in a timely fashion, and apparently did not disclose it to other government bodies, financial institutions and third parties the agency is interconnected with, the report found.

In its 2012 Federal Information Security Management Act report to the Office of Management and Budget, the FDIC included zero mention of the breaches. The FDIC's chief information officer at the time stated in the report that the "[a]gency has experienced no successful phishing attacks."

The Office of the Inspector General was not the only watchdog that found flaws in the FDIC's management of the cybersecurity threats.

Government Accountability Office representatives said in a May 2013 meeting that they were worried about what the incident showed about the agency's "policies and procedures, 'tone at the top,' and communications with auditors," the report said.

An FDIC spokesperson told American Banker that since the OIG report, the agency had taken several steps to address the threats and improve communication.

The agency created a separate position for CIO, which was formerly held by Pittman in conjunction with his title as director of the division of information technology. It also created a different hierarchy, with the head of information technology — and an independent chief information security officer — both reporting to the CIO, who reports to the chairman.

The FDIC spokesperson added that there had been no similar persistent cyberthreats in the years since. It has also brought in testers to address the threat of such incidents on two occasions.

The FDIC has been subject to a congressional inquiry in recent months, after several cases of former employees carrying away sensitive data have come to light.

At least seven former employees since September have uploaded confidential information on a portable media device as they left.

Because the FDIC's current CIO, Lawrence Gross, had not categorized these events as "major" breaches under the OMB's definition, the agency did not immediately notify Congress of the incidents.

In a February letter to Gross, Mark Mulholland, the FDIC's assistant inspector general for audits, concluded that one such breach that took place in September and October was "major" and needed to be reported to lawmakers. The letter was also leaked by the Post.

Mulholland noted that a former employee had extracted data — including 10,000 unique social security numbers — on a thumb drive, but then "repeatedly denied downloading the information."

The employee moved on to work at a financial services firm owned by a Bangalore, India-based parent company, the report stated. Gruenberg notified the House Committee on Science, Space and Technology of the incident a week after Mulholland's letter.

That same month a similar incident occurred, affecting the data of 44,000 individuals. It was reported to the committee in March.

In a last bout of retroactive reporting, the agency on Monday addressed a letter to the committee detailing five additional incidents that have occurred since October. All included a departing employee and a portable media device.

Regardless of the "major" incident tag, these incidents would have been reported to the OMB as part of the FDIC's yearly Federal Information Security Management Act reports, an agency spokesperson said. "They always would have been reported. We took action when it happened."

The agency also announced that it had taken steps to combat these types of breaches. "We take data security very seriously and are always looking for ways to improve and provide a more secure environment," said an agency memo detailing its "security initiative."

Since April, all employee computers are blocked from being accessed by a removable media device, except in special cases where employees need to carry data to FDIC partners and financial institutions it oversees. In those cases, the FDIC plans to implement encryption software to secure the data.

The agency has also pledged to create a new "Incident Response Coordinator" position, review its cybersecurity oversight policies and begin monitoring what documents are printed.

Gross, the FDIC's information chief, and FDIC Inspector General Fred Gibson will testify on all these incidents at a House, Science, Space and Technology committee hearing on Thursday.

For reprint and licensing requests for this article, click here.
Law and regulation
MORE FROM AMERICAN BANKER