A scathing congressional report published Wednesday accuses the Federal Deposit Insurance Corporation’s chief information officer of misleading lawmakers about recent data breaches and raises questions about the agency’s cybersecurity posture in the wake of being infiltrated by state-sponsored hackers.
The 25-page report was released by the U.S. House Science, Space and Technology Committee on the eve of a congressional hearing being held to discuss the panel’s findings from a lengthy investigation concerning the FDIC, the independent, government-mandated agency responsible for providing deposit insurance to Americans banks.
Committee staffers had stumbled upon “anomalies” in a security report submitted by the FDIC to Congress earlier this year, raising concerns that worsened once lawmakers examined the agency further.
During the course of their probe, committee members learned that the FDIC had understated some recent major security breaches to Congress and failed to initially acknowledge other incidents altogether.
“It is also clear that the FDIC deliberately evaded congressional oversight,” the panel said in a statement. “In addition, the committee found the FDIC has historically experienced deficiencies related to its cybersecurity posture, and those deficiencies continue to the present.”
An October 2015 security breach confirmed by the agency to Congress four months later was significantly worse than first revealed, and resulted in the sensitive information of more than 71,000 individuals and entities becoming compromised — seven-times the figure first presented to Congress, according to the report.
FDIC Chief Information Officer Larry Gross later told Congress that the breach was done inadvertently by an employee who wasn’t computer proficient, only for the panel’s investigation to reveal later that the individual had earned a master’s degree in Information Technology.
A separate security breach that occurred one month earlier affected banking information, Social Security numbers and living wills for upwards of 30,000 individuals, but was never reported to Congress, the report reveals.
These instances and others managed to unfold despite FDIC’s inspector general revealing in 2013 that no fewer than two of the agency’s computers and 10 servers had been compromised by hackers suspected of working for the Chinese government, according to the report.
Committe chairman Lamar Smith, Texas Republican, said the report “sheds light on the FDIC’s lax cybersecurity efforts” and reveals the agency’s need to make significant improvements to its cybersecurity mechanisms, beginning with its chief information officer.
“The FDIC’s intent to evade congressional oversight is a serious offense,” added Mr. Smith.
After conducting several FDIC employee interviews and reviewing roughly 15,000 agency documents, the House panel determined Mr. Gross engaged in mismanagement, misled Congress, retaliated against whistleblowers and fostered a hostile work environment, the report concludes.
“Witnesses testifying before the committee as part of this investigation raised concerns about whether the inconsistency in leadership effecting the cybersecurity posture as well as whether the current CIO Mr Gross is fit to service in this position,” reads an excerpt of the report.
“We will continue to work towards increasing transparency at the agency and hold the FDIC accountable. Americans should be able to trust the agency with their sensitive banking information,” Mr. Smith said in a statement.
Oversight Subcommittee Chairman Barry Loudermilk, Georgia Republican, said he plans to continue “a thorough oversight of the FDIC, and work with my colleagues to shed light on their culture of mismanagement within the walls of the FDIC, holding agency officials accountable.”
The FDIC did not comment when reached by Reuters on Wednesday.
FDIC Chairman Martin Gruenberg and Acting Inspector General Fred Gibson are slated to testify at Thursday’s hearing.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.