US government CIOs repeatedly covered up breaches

News by Max Metzger

A US Congress committee has condemned the Federal Deposit Insurance Corporation for covering up a number of breaches

A new congressional report has slammed the Federal Deposit Insurance Corporation (FDIC) for apparently covering up cyber-attacks on the government department.

The US House Science, Space, and Technology Committee yesterday released its preliminary findings into an investigation of the FDIC, a government  department which insures american bank deposits.

Lamar Smith, a Republican congressman from New York and chairman of the committee, said in a statement, “The FDIC's intent to evade congressional oversight is a serious offense. Major improvements need to be made to the FDIC's cyber-security mechanisms.”

The findings lay out many instances of cyber-attacks either not being reported or being actively covered up by the management of the FDIC.

Most damning of all is the claim that previous CIO Russ Pittman told employees to not report several major attacks by what was considered to be “a foreign government, most likely Chinese”.

Two attacks, in 2010 and 2013, resulted in the deployment of backdoor malware on 12 workstations and 10 servers. According to the report, the failure to report the breaches was done to ease the succession of then-vice chairman Martin Gruenberg to chairman.

FDIC staff privately withheld documents despite being requested by Congress and telling congressmen that they had produced all the available material. Whistleblowers also told the committee that FDIC employees had been expressly told “not to place certain opinions and analysis related to major cyber-security breach in writing”.

Special indignation is reserved for Larry Gross who took over as the FDIC's CIO in November 2015. The report states he “has created a work environment largely by vindictiveness and retaliation”. Gross is known to have relocated employees who he disagreed with and retaliated against those who chose to testify to Congress.

One breach in September 2015 involved one ‘disgruntled' employee in New York who took a USB hard drive containing sensitive financial information, including social security numbers, of 28,000 to 30,000 people. This was not reported to Congress, only referenced in an annual report.

The next month, the FDIC reported that another employee apparently copied the information of 10,000 people before making off with it on a USB stick. What the FDIC did not report to Congress was that the actual number of people affected by the breach was more than  70,000.

The employee feigned innocence, saying that she only meant to download family photos, and Gross backed up her story by saying she was ‘not computer proficient'. Congress later found out that this particular employee holds a masters degree in information technology management.

These are only a couple of examples. In May 2016, the FDIC retroactively reported five major breaches to the committee involving the theft of tens of thousands of individuals' sensitive personal information.

“It's important that organisations report breaches to the public if there has been an intrusion where data has been leaked or possibly accessed by attackers,” Justin Harvey, CSO at Fidelis Cyber-security told “For a government department, this should be mandatory, particularly when reporting to a governing authority like Congress. I will be curious to see if mandatory breach notification laws are enacted in the US and UK in the future – particularly since the GDPR only applies to EU states – to protect and notify citizens."

The FDIC's chairman Martin Gruenberg testified in front of the committee today, saying,“An effective information security and privacy programme is critical to the FDIC's mission of maintaining stability and public confidence in the FDIC's mission of maintaining stability and public confidence in the American financial system.”

Gruenberg said that the FDIC was making changes to the department including implementing a department wide insider threat programme and limiting the use of ‘removable media'. The changes are expected to be fully implemented by the end of 2016.  

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews