- Work environment described in Republican report as ‘toxic’
- Committee findings released in advance of U.S. House hearing
Repeated data breaches, hacking attacks and a “culture of concealment” at the Federal Deposit Insurance Corp. drew criticism from lawmakers Thursday at a hearing to review how the agency responsible for insuring bank deposits has responded to security breaches.
In a 25-page report issued to coincide with the Thursday, the House Science, Space, and Technology Committee cited a series of cyber intrusions, including some believed to have come from China, as a sign of mismanagement and security breakdown at the FDIC. Chief Information Officer Lawrence Gross was singled out directly, with the report saying he created a “toxic work environment, misled Congress and retaliated against whistle-blowers.”
The “overreaching theme” of the committee’s dealings with the FDIC is “we’re not getting the whole story,” said Chairman Lamar Smith, a Texas Republican. “There is a culture of concealment at the FDIC.” Representative Dana Rohrabacher, a California Republican, said billions of dollars worth of harm could be done to U.S. businesses and citizens if China or other foreign governments gain access to the agency’s data.
FDIC Chairman Martin Gruenberg and acting Inspector General Fred Gibson said progress was being made in upgrading internal and external controls designed to prevent hacking and to counter internal threats, such as the downloading of sensitive information by disgruntled or careless employees. Gruenberg defended Gross, who started the job in November, saying he is a “capable professional” who deserves more time.
Yet the Congressional report said the FDIC was unwilling “to be open and transparent with the committee’s investigation,” raising “serious concerns about whether the agency is still attempting to shield information from production to Congress.”
The 25-page report described a number of breaches in recent years:
- In 2010, 2011 and 2013, hackers believed to be linked to the Chinese government gained access to agency computers, including those used by the former FDIC chairman and other high-level officials.
- In September 2015, the FDIC learned that a “poor performing and disgruntled employee” returned all electronic devices when she left her job except for a portable USB device holding sensitive data, such as living wills, banking information and Social Security numbers of 28,000 to 30,000 individuals.
- In October 2015, an FDIC employee copied personally identifiable information of 40,000 individuals and 31,000 banks and other entities. The employee left the FDIC and removed a portable storage device from the office. The committee questioned whether FDIC officials misrepresented the employee’s intent by claiming it was an inadvertent breach.
- In February 2016, an employee obtained sensitive data for 44,000 individuals before leaving the agency. The employee copied personal information onto a portable storage device.
“We have no higher priority at the FDIC than addressing these matters,” Gruenberg said at the hearing.
Beyond the issues cited in the committee’s report, Gibson said that the agency reported six additional major incidents to Congress between March and May of this year and that his office is studying the breaches. Gibson said his office has opened criminal investigations relating to several of the incidents, without providing further details.