FDIC Latest Agency To Claim It Was Hacked By A Foreign Government

(Mis)Uses of Technology

from the here's-some-things-that-were-said,-they-anonymously-explained dept

Another federal entity is reporting being hacked. And it’s pointing its fingers (and the FBI, which is now investigating) at Chinese military hackers.

The FBI is investigating how hackers infiltrated computers at the Federal Deposit Insurance Corporation for several years beginning in 2010 in a breach senior FDIC officials believe was sponsored by China’s military, people with knowledge of the matter said.

The security breach, in which hackers gained access to dozens of computers including the workstation for former FDIC Chairwoman Sheila Bair, has also been the target of a probe by a congressional committee.

Caught in the middle of all this are the financial transactions of millions of Americans, in addition to whatever sensitive government information might have been located on the FDIC’s computers.

But claiming the Chinese were involved seems premature, even according to Reuter’s own reporting, which relies heavily on a bunch of anonymous government officials discussing documents no one at Reuters has seen.

Last month, the banking regulator allowed congressional staff to view internal communications between senior FDIC officials related to the hacking, two people who took part in the review said. In the exchanges, the officials referred to the attacks as having been carried out by Chinese military-sponsored hackers, they said. The staff was not allowed to keep copies of the exchanges, which did not explain why the FDIC officials believe the Chinese military was behind the breach.

About the only thing confirmed is the FBI’s presence, and that too relies on anonymous officials “familiar with the matter” who described the investigation as ongoing. That being said (anonymously), it’s safer to assume the FBI is checking this out than it is to assume it was a state-sponsored attack. But there seems to be a new and undeniable urge to make attributions as quiickly as possible, even if the evidence doesn’t conclusively point to anyone in particular.

What hasn’t changed is the long delay between discovery and announcement. This hack happened more than five years ago and the FDIC spent nearly two years purging the system of the suspected hackers. Then it waited until it was being investigated by the FBI and Congress before acknowledging the security breach.

And it’s not as though the FDIC has gotten everything locked down, despite being more than six years removed from a major breach.

This year, the FDIC has reported to Congress at least seven cybersecurity incidents it considered to be major which occurred in 2015 or 2016.

An annual report by the regulator said there were 159 incidents of unauthorized computer access during fiscal year 2015, according to a redacted copy obtained by Reuters under a Freedom of Information Act request.

Rather than major breaches by hackers, however, these incidents included security lapses such as employees copying sensitive data to thumb drives and leaving the agency.

Twenty of the incidents were confirmed data breaches, according to an FDIC document provided to Reuters by the U.S. House of Representatives Committee on Science, Space and Technology. That represents a higher number than was previously reported by the regulator under reporting guidelines for major incidents.

In response to these continued incidents, the FDIC has taken the bold step of… banning thumb drives. It appears the lengthy delays between discovery and disclosure will remain in place. In response to the Reuters report, a round of “no comments” was offered from a variety of government officials, as well as the contractor hired by the FDIC to rid its computers of invaders.

An earlier investigation by the House Science Committee does offer some support for the Chinese military hackers theory, but the only conclusion it reached was that the hack appeared to be China-based. Committee members were less than impressed with the FDIC’s reluctance to cooperate with the probe and suspected staffers of trying to shield the new FDIC chairman from criticism. The Inspector General’s report couldn’t find any evidence confirming this assumption, but the 2013 report did find that top FDIC officials weren’t even briefed on the discovered breach until more than a year after it was discovered. So, it’s not just secrecy between branches of government. It’s also secrecy within a single government body. And never mind the millions of Americans potentially affected. They’ll always find out last.

Filed Under: china, fdic, hacking, us government