The U.S. House Science, Space and Technology Committee released a preliminary finding that the FDIC (Federal Deposit Insurance Corporation) had not reported and even covered up security breaches. The worst example of this was the former CIO, Russ Pittman, who actively told employees not to mention major breaches, which were most likely committed by the Chinese government. In fact two attacks, in 2010 and 2013, were not reported when they infected 12 workstations and 10 servers with backdoor malware in order to ease the ascension of Martin Gruenberg to chairman. FDIC staff privately withheld documents requested by Congress and lied about all documents being presented. Whistleblowers even said that employees were told “not to place certain opinions and analysis related to major cyber-security breach in writing.” The most venom was saved for current CIO Larry Gross, who would relocate employees who disagreed with him and retaliated against employees who testified before Congress.
There has also been poor reporting of breaches by employees, as in last September, an employee stole 28,000-30,000 Social Security numbers on a USB drive, which was only reported in the annual report. The next month, when another employee stole information on a USB drive, the FDIC reported that 10,000 people were affected, when in reality it was more than 70,000. What’s worse, Gross defended the latter employee’s innocence by claiming she was ‘not computer proficient,’ despite her having a master’s degree in information technology management. Another example is that in this past May, the FDIC retroactively reported five breaches to the committee, all of which involved the leaking of tens of thousands of people’s personal information. Gruenberg said that the FDIC was making changes to the department including implementing a department wide insider threat program and limiting the use of ‘removable media’. The changes are expected to be fully implemented by the end of 2016.