China Hacker The FDIC – And US Officials Covered It Up that is the headline from what we consider a bombshell CNN Money article – below is the full document on the attack – its pretty scare but check it out below.
Interim Staff Report: The Science, Space, And Technology Committee’s Investigation Of FDIC’s Cybersecurity
To: Republican Members, Committee on Science, Space, and Technology
From: Majority Staff
Date: July 12, 2016
Re: Full Committee Hearing: “Evaluating FDIC’s Response to Maj or Data Breaches: Is the FDIC Safeguarding Consumers’ Banking Information?” (July 14, 2016, at 10:00 am.)
This interim report provides hearing background for the House Science, Space, and Technology Committee. The Committee is scheduled to hold a hearing on July 14, 2016, to examine the Federal Deposit Insurance Corporation’s (FDIC) cybersecurity posture, prior Congressional testimony by FDIC officials, and the agency’s response to the Committee’s investigation. The hearing Witnesses will be FDIC Chairman Martin J. Gruenberg and’ the Acting Inspector General Fred W. Gibson. This hearing is occurring midway through a lengthy Committee investigation. Staff intends to update this report at the conclusion of the investigation.
I. Overview of the Committee’s Investigation
[drizzle]
Pursuant to the Committee’s legislative jurisdiction over portions of the Federal Information Security Modernization Act of 2014 (FISMA), the Committee receives an annual FISMA report from each department and agency subject to the statute. FISMA also requires notification to select Congressional Committees, including the Science Committee, whenever an agency experiences a major information technology (IT) security breach. Committee staff reviewing the FDIC’s FISMA report noted some anomalies. Then, on February 26, 2016, and March 18, 2016, the Committee received written notification of major breaches. In an effort to better understand the circumstances of these breaches, on April 8, 2016, Chairman Smith sent a letter to FDIC Chairman Gruenberg requesting documents, information, and a briefing from the agency.
On February 26, 2016, Gruenberg wrote Chairman Smith reporting a breach that occurred in Florida on October 15, 2015, and FDIC learned of the breach on October 23, 2015.2 The FDIC represented in its initial memorandum to the Committee that the separating employee inadvertently “and without malicious intent” downloaded sensitive banking information as well as “customer data for over 10,000 individuals.”3 The employee downloaded the information to a portable storage device referred to as a thumb drive and removed it from the premises. The Committee has since learned FDIC made misrepresentations in its February 26, 2016, notification to the Committee. The FDIC Office of Inspector General (01G) issued a report on July 8, 2016, which contradicts FDIC’s representations to Congress.
According to Chairman Gruenberg’s March 18, 2016, notice, a separating employee copied “sensitive FDIC information,” which “included customer data for over 44,000 individuals” to a portable storage device.4 This notice also stated that the “individual inadvertently and without malicious intent” downloaded the information and data.5 The OIG has since clarified and corrected the record on this particular breach as well. The facts as the Committee now knows them are discussed below.
Shortly after the Committee sent its initial letter, the OIG contacted the Committee relaying information about ongoing audits of the agency’s cybersecurity posture as well as raising concerns about other major breaches that the agency failed to report to Congress. The Committee also received credible whistleblower allegations stating that the agency was mischaracterizing the severity of the breaches and intentionally withholding information from Congress related to other major information security breaches. On April 20, 2016, Chairman Smith wrote the FDIC requesting information related to other unreported breaches.
Alarmingly, the IG and several whistleblowers7 told the Committee that the agency appeared to be withholding documents from the Committee even after twice certifying verbally that they had produced all responsive documents. Allegations of withholding documents led Chairman Smith to send a May 10, 2016, letter to the IG requesting all documents not produced by the agency. On May 12, 2016, the Oversight Subcommittee held a hearing on this matter.8 Witnesses were the Chief Information Officer Lawrence Gross and the 1G. At the hearing, Members noted numerous inconsistencies in Gross’ testimony. These inconsistencies were outlined in a May 19, 2016, letter to FDIC from Chairman Smith and Subcommittee Chairman Loudermilk. To date, the agency has not provided a substantive response to each of the concerns raised about the veracity of Gross’ testimony. Gross’ testimony will be discussed in greater detail in Section V, of this report.
The culmination of the FDIC’s discreditable performance at the May 12, 2016, hearing along with their obstruction and concealment of facts and documents, caused Chairmen Smith and Loudermilk to send a May 24, 2016, letter requesting the following:
As of today’s hearing, the Committee has conducted seven transcribed interviews, reviewed approximately 15,000 pages of documents produced by the agency, the IG, and Whistleblowers as part of the Committee’s ongoing investigation.
See full report below.
