author photo
By Bruce Sussman
Wed | Jun 27, 2018 | 6:07 AM PDT

The FDIC may insure the money you have in the bank, but when it comes to your privacy and security—or that of your bank or credit union—a new report lists serious problems.

Let's start with a single example. In this case, an insider threat and what the OIG said was poorly managed Identity and Access Management.

This information is from the April 2018 FDIC report, released by the Office of the Inspector General (OIG):

"A former employee... copied without authorization, highly confidential components of three sensitive resolution plans onto an unencrypted 'USB' storage device, just as the employee abruptly resigned."

How serious is this? Well, these are plans banks submit in case their financial health requires the government to take over. Curious about what kind of information they contain? How about this?

  1. Information about critical vendors, suppliers, and associated agreements
  2. Non-public financial and business data
  3. Personal information about employees
  4. Location and activities of data centers
  5. A list of critical operations

And instead of this being a trusted employee that simply went rogue, it sounds like the agency missed a shocking number of warning signs:

 "The OIG audit report identified a number of factors that contributed to the incident, including employees’ access to sensitive information and employees’ ability to download and store sensitive information. In addition, our report discussed indications that the employee posed a heightened security risk, including major financial problems; several disputes with FDIC management and repeated dissatisfaction; and performance management records indicating that the employee demonstrated poor judgment, lack of accountability for actions, inability to follow a supervisor’s instructions, and inability to adhere to FDIC policies."

Talk about red flags. This paints a very clear picture that there are significant problems at the FDIC.

And there have been at least eight known information and cybersecurity incidents at the FDIC for which notification took from eight months to more than a year, even in cases where PII on 10,000 or more individuals was compromised. 

fdic-breach-response-time

Congress demanding answers from FDIC

Now, Congress has responded to the OIG's report in a letter to the FDIC:

"The OIG exposed the FDIC's poor cybersecurity posture, missteps in handling the numerous data breaches, and ultimately the cover-up agency staff engaged in when responding to congressional inquiries. The purpose of this letter is to follow-up on matters related to accountability and cybersecurity."

That's right, on top of the problems, the OIG found that the FDIC sought to downplay the seriousness of these cybersecurity incidents and failed to tell Congress the whole truth during recent testimony.

congress-to-fdic

The letter from Congress to the FCC demands to know if any FDIC officials, at any level, were held accountable as a result of the OIG report findings.

And the report made recommendations for changes. Congress wants to know about an implementation timeline for these.

See the letter from Congress to the FDIC, and if you really have time, the full 237-page OIG report.

Hopefully, the FDIC does a better job insuring our money than it does ensuring our information security. 

Comments