The FDIC and security experts have responded to the House Committee on Science, Space and Technology's scathing investigation report about hackers breaching the banking agency's computers repeatedly between 2010 and 2013.
The report claimed cyberattackers, purportedly from China, placed backdoor malware on a dozen workstations and 10 servers, including those of the chairman, chief of staff and the FDIC's general counsel. The House committee investigation concluded the agency misled auditors about the extent of those breaches and told employees not to talk about the breaches.
In April, the FDIC detected and moved to mitigate a breach of 44,000 customer records after an employee leaving the agency in February inadvertently downloaded the data containing personally identifiable information to a removable media device. Within three days of the breach, an agency data loss prevention tool detected the download. The employee returned the device with the data the next day, according to the original FDIC account.
FDIC Chairman Martin J. Gruenberg told Science, Space and Technology Committee Chairman Rep. Lamar Smith (R-Texas) in a February letter that the breach affected about 10,000 individuals and the former employee was cooperative. The FDIC's Office of the Inspector General contradicted the claim, indicating the actual number of individuals affected was several times larger and there were other breaches that were not reported.
Then in May, the FDIC reported to Congress that five additional, major data breach incidents occurred since October 2015. In every case, employees with legitimate data access left the agency and inadvertently downloaded personal data. The agency retroactively reported the breaches, claiming the FDIC closed the cases before its Office of Inspector General defined them as major incidents. A major incident involves at least 10,000 records.
Join us in Dallas at the new Credit Union Times Fraud: Don't Let It Happen To Your Credit Union Conference, where you will find the latest tools and techniques for preventing fraud and data breaches; strategies for responding in the immediate aftermath and best practices for restoring reputation, financial stability and information security. This two-day conference is designed for credit union executives, board of directors and those responsible for your credit unions cyber security policy. Register to attend and save $150.
“An effective FDIC information security and privacy program is critical to our mission of maintaining stability and public confidence in the nation's financial system,” FDIC Chairman Martin J. Gruenberg said in a statement before the Committee on Science, Space and Technology.
KnowBe4 Founder and CEO Stu Sjouwerman explained, “Most of these are incidents where employees copied sensitive information to a portable device and walked out the door. That's covered by security policy and procedures, and simple technical controls that block USB ports from being used on workstations.”
The OIG audit identified several weaknesses that the FDIC needed to address and made several recommendations to improve its security, including an insider threat program, which better enables the FDIC to deter, detect and mitigate the risks posed by the employee. In addition, the OIG reported a key control intended to prevent the copying of sensitive resolution plans to removable media did not function properly.
“While the FDIC investigation report is alarming, it's not surprising,” J. Paul Haynes, CEO of cybersecurity firm eSentire, said. “The breach cases at the root of the cybersecurity posture investigation pertain to insider threat, which is a long-standing risk, as employees do things, such as copy and remove sensitive client personally identifiable information, usually when exiting employment.”
The OIG did make clear the FDIC has a number of long-standing controls designed to mitigate risks associated with trusted insiders, including background investigations, periodic inspections of FDIC facilities to identify security concerns, employee nondisclosure agreements, a data loss prevention tool and programs to help employees with personal issues.
“We concur with the OIG's findings and recommendations, and expect to complete implementation of all of our responsive actions by the end of 2016,” Gruenberg said. “Our expectation is that by taking the steps outlined we will be effective in significantly minimizing the potential for similar incidents going forward.”
The FDIC also discontinued individuals' ability to copy information to removable media to prevent these types of incidents from occurring in the future.
“In the case of the FDIC, enacting, monitoring and enforcing policies around insider threat are critically important to stemming these kinds of breach incidents. The FDIC was able to track and reclaim the data, but in similar circumstances many other firms aren't as successful and suffer significant client data leaks as a result, often detected months after the fact.” Haynes added.
Join us in Dallas at the new Credit Union Times Fraud: Don't Let It Happen To Your Credit Union Conference, where you will find the latest tools and techniques for preventing fraud and data breaches; strategies for responding in the immediate aftermath and best practices for restoring reputation, financial stability and information security. This two-day conference is designed for credit union executives, board of directors and those responsible for your credit unions cyber security policy. Register to attend and save $150.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
