The FDIC Breaches: Uncovered

The Federal Deposit Insurance Corporation was brought into existence in 1933 in the wake of catastrophic bank failures that occurred during the Great Depression. The FDIC’s most recognizable function is insuring deposits up to $250,000, meaning that if a bank files Chapter 11 or gets robbed by the Dillinger Gang, customers don’t lose their life savings. Additionally, the agency serves a regulatory/supervisory function by keeping an eye on the country’s financial institutions. To maintain its integrity and the trust of the American consumer, the FDIC must be accountable and forthright. However, a July 12th report by the House Committee on Science, Space and Technology found that Lawrence Gross, the FDIC Chief Information Officer may have deliberately withheld information pertaining to several data breaches occurring between 2015 and early 2016.

Who Watches the Watchmen?

Notice for a minor data breach that occurred in October 2015 was provided to the House committee on February 26, 2016. This appears to be nothing out of the ordinary as it often takes organizations several months to investigate an incident. What seems strange is that a contradictory report concerning the same event was issued on July 8th by the FDIC Office of the Inspector General (OIG). The two versions of the breach differed in the amount of records impacted with the initial notification citing 10,000 individual records compromised and the OIG report claiming 44,000 records impacted. The reports agreed on the facts of the case and stated that a departing employee “inadvertently and without malicious intent” copied customer bank account information to an external storage device and left the premises.

This data breach came to the attention of BitSight researchers in an April 11th Washington Post article citing the apparently corrected number obtained from an internal memo. At the time, this was thought to be the only data breach experienced by the FDIC in 2015, but the recent Congressional report details an investigation into several other breaches as well as the possibility that these events were being mischaracterized as minor incidents. In light of whistleblower testimony and the conflicting findings of the Inspector General, the House Subcommittee on Oversight asked CIO Lawrence Gross and Acting Inspector General Fred Gibson to testify in a May 12th hearing, the full video of which can be viewed here.

Committee members raised questions about the failure by the FDIC to report these events in a timely manner as well as the CIO’s determination that repeated incidents involving the copying of tens of thousands of customer bank account records could be “inadvertent” or low-risk. A small portion of the questions related to an August 2011 incident where an advanced persistent threat originating in China gained access to FDIC servers. It appears that US-CERT was not notified and conducted no investigation of the possible cyber attack. Gross and Gibson’s hearing lasted over an hour, but it appears that the congressmen and women were not able to obtain the desired information. Fred Gibson and FDIC Chairman Martin Gruenberg were asked to appear before the full committee on July 14th to provide additional information on the security posture of the agency at the time of these breaches.

Seven Suspected Incidents

The recent House investigation has shed some light on the amount and type of incidents that have occurred at the FDIC. In the October 2015 case of the now infamous “Florida Incident”, an employee departing the agency copied sensitive bank account records relating to 40,354 individual customers and an additional 30,715 records relating to “banks and other entities” onto a personal storage device. This record count again differs from the 10,000 cited in the initial notice and the 44000 in the Office of the Inspector General’s report. The committee later found that this former employee left to work for a foreign financial service and, when approached about the records in question, initially denied copying them and may have even refused to return them when pressed.

A similar incident involving a departing employee copying between 28,000 and 30,000 customer account records to an external drive occurred in September of 2015. The investigation found that this employee may have been disgruntled upon their departure, yet the removal of documents was still classified as low-risk. At least 5 more incidents of this nature were identified, none of which were flagged as high-risk. When confronted with this fact during the hearing in early May, Gross responded, “It was my initial judgement based on several factors that these incidents did not rise to the level of ‘major incident’ as defined in the [Office of Management and Budget] guidance.” Gross issued this statement despite the fact that all of the breaches in question appear to have surpassed the 10,000 document threshold used to define an incident as low. The CIO maintained throughout questioning that in all of these cases, customer records were copied inadvertently by former employees who were simply trying to retain a few personal files and pictures upon their departure. He further opined that these were non-technical personnel and may not have understood how to copy specific files without copying the entire contents of their computers’ hard drives. This claim has faced scrutiny as the departing employee in the “Florida Incident” held two master’s degrees in Information Technology.

The low-risk designation given to the 7 data breaches allowed the FDIC to avoid reporting the incidents within the 7 day window required of high-risk events and instead summarize them in an end of the year FISMA report to the House committee. The classification that CIO Lawrence Gross assigned also made it harder for the FDIC to pursue a criminal complaint against these individuals. During his testimony, Frank Gibson stated that the Office of the Inspector General had decided not to proceed with a full investigation due to the lack of established intent in the majority of the cases in question. Instead, the OIG conducted more lenient inquiries into each matter.

The Fallout

As a response to these incidents the FDIC has implemented a plan to limit the ability of employees and contractors to download customer information to portable media. The CIO has stated that they have been successful in limiting this access to 50% of the organization that needs to use portable drives for field work, but they are investigating solutions to get that number to 0%. The FDIC is conducting a top-to-bottom review of policy in relation to these incidents and a third-party investigation is taking place. It remains to be seen whether any negligence charges will be brought against a Chief Information Officer who believed the breach of over 100,000 documents constituted a low risk.

It is possible that one or more C-level officials will bear responsibility for these events. In recent years, officials in both the private and public sector have lost their jobs in the fallout of large data breaches. Most recently, the former director of the Office of Personnel Management resigned in the aftermath of a data breach where over 20 million records were exposed. While the incidents at the FDIC exhibit a different attack pattern and number of records compromised, the controversy surrounding the disclosure of these breaches may produce a similar result.