Republicans slam FDIC for not reporting security problems

Two top Republicans on the House Science Committee slammed the Federal Deposit Insurance Corporation (FDIC) over what they say is the latest example of the agency not reporting cybersecurity failures. 

Committee Chairman Lamar Smith (Texas) and Rep. Barry Loudermilk (Ga.), the chairman of the oversight subcommittee, sent a letter Friday to FDIC Chairman Martin Gruenberg asking why it took two months to notify Congress of a cybersecurity failure in August. They also charged that the report glossed over important details. 

“Given the ever-increasing number of breaches that offered at the FDIC [that] have not been formally reported to the Committee, the Committee is concerned that the FDIC is taking advantage of the Committee’s goodwill,” reads the letter. 

{mosads}On Oct. 19, the FDIC reported that it discovered a security mishap on Aug. 9. It found 409 FDIC employees and contractors had unintentionally shared the documents stored on their computers across the full FDIC network. 

According to the FDIC letter, the August finding was not reported to Congress because there was no evidence of anyone outside the network being granted access to the files and no evidence that any personal information had been compromised. 

Smith and Loudermilk’s letter says the pair conducted follow-up communications with FDIC members and accuse the FDIC of playing semantic word games in the report. Though there may technically be no evidence of personal information being breached, the congressmen say that might be because the FDIC is “unable to track whether personnel accessed compromised information.”  

That could be a big problem. The letter noted that the employees with visible files included 27 Office of the Inspector General agents, with files including Grand Jury documents and information on ongoing investigations. 

After a report of a breach in July, Gruenberg told the Science Committee that the FDIC would report “major” incidents immediately to the Science Committee. In fact, the report of the August problem came tacked on to the end of a report announcing a major incident in September. 

Smith and Loudermilk felt the Aug. 9 incident should have been reported earlier. 

“The delay in reporting this incident, however, raises questions about whether your staff’s commitments are being followed in good faith by CIO [Chief Information Office] Larry Gross,” reads the letter.