Subcommittee Examines FDIC Data Breaches
(Washington, DC) – Today, the House Committee on Science, Space, and Technology’s Subcommittee on Oversight held a hearing to examine recent data breaches at the Federal Deposit Insurance Corporation (FDIC), two of which occurred in October 2015 and February 2016, and to examine broader issues surrounding the FDIC’s cybersecurity posture.
The FDIC is the insurer of more than 4,100 U.S. institutions with assets of more than $2.6 trillion dollars. FDIC insures deposits, supervises financial institutions for soundness, and manages receiverships. Pursuant to its mission, FDIC has access to sensitive information about banks and bank customers.
Ranking Member of the Subcommittee, Don Beyer (D-VA), said in his opening statement, “Defending against cyber threats is a persistent and evolving battle. The cyber hazards that confront the public and private sectors come in various forms. Hackers can and have wreaked havoc on Hollywood studios, global financial institutions, retail outlets, and public agencies alike. No one seems to be immune from the various cyber threats that touch virtually everyone.
In the case of the FDIC, they have suffered from seven ‘major’ cyber incidents in the past seven months. These breaches involved plugging ‘removable media,’ such as an USB drive, into an FDIC computer and removing thousands of sensitive financial and other records from the Agency as employees walked out the door.”
Although it appears as though FDIC took appropriate cyber security steps after the fact, there was a long delay in reporting these breaches to Congress, as required by OMB Memo 16-03, published on October 30, 2015. This guidance requires federal Agencies to classify cyber breaches as “major incidents” if the data is outside the Agency’s control for eight or more hours and if it involves more than 10,000 records or affects more than 10,000 individuals. If incidents meet that criteria they must be reported to Congress within seven calendar days. “That did not happen in either of the two cases this hearing will focus on,” said Mr. Beyer, “or the five others that the FDIC just reported to the Committee this week, and I am still unclear why.”
Ranking Member Eddie Bernice Johnson (D-TX) said, “In at least one case, according to the FDIC’s own records, a former employee who downloaded such data, was evasive about her actions and not cooperative when initially confronted by FDIC staff. Some FDIC employees also suggest it was highly improbable this former employee’s actions were accidental. In addition, this former employee is now working for a U.S. subsidiary of a non-U.S. financial services company, which raises additional concerns.
“I hope the IG’s office will be able to clarify whether or not all of the recent data breaches were ‘inadvertent,’ as FDIC has claimed, when the office completes the two audits they are currently working on regarding FDIC’s handling of ‘major’ cybersecurity incidents in the coming weeks. I also hope the IG’s office can shed some light on the reasons why the Office of the Chief Information Officer (CIO) and the FDIC failed to inform Congress of these major incidents within the seven-day timeframe required by the guidance from the Office of Management and Budget (OMB) that was issued in late October 2015.
“I believe the FDIC has already taken some positive steps in responding to the recent data breaches, phasing out the use of removable media, for instance. I encourage them to continue to ensure that sensitive data is not intentionally or inadvertently breached. But I would also request the new CIO, Lawrence Gross, to keep Congress appropriately and fully informed, in a timely manner, when ‘major’ cybersecurity incidents do occur.”
Witnesses
- Mr. Lawrence Gross, Jr., Chief Information Officer and Chief Privacy Officer, FDIC
- Mr. Fred W. Gibson, Acting Inspector General, FDIC OIG
Related Content
Next Article Previous Article