Insiders compromised FDIC data; GAO audit finds FDIC working to improve IT security
There have been a number of serious insider breaches at the Federal Deposit Insurance Corporation (FDIC), including a former “employee” who “copied “highly confidential components of three sensitive resolution plans onto an unencrypted USB storage device and took the information upon abruptly resigning,” according to an Office of Inspector General (OIG) report in the Government Accountability Office (GAO) auditor’s report on the results of GAO’s audits of the 2017 and 2016 financial statements for the two funds FDIC administers—the Deposit Insurance Fund (DIF) and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund (FRF).
In the above incident, OIG law enforcement officials subsequently recovered the USB device containing all of the exfiltrated data as well as a sensitive Executive Summary for a fourth resolution plan in hard copy. Based on the OIG criminal investigation, the employee was subsequently charged in the Federal District Court for the Eastern District of New York with theft of government property.
In another OIG report, GAO’s audit of FDIC’s process for identifying and reporting major information security incidents found the breach involving an employee’s use of a USB storage device to copy more than 10,000 documents, included more than 10,000 unique Social Security Numbers upon the employee’s departure from the FDIC.
“We found that over 4 weeks elapsed between the discovery of the incident and a determination that the incident involved a data breach … We concluded the FDIC had not devoted sufficient resources to review potential violations.”
In late 2015 and early 2016, FDIC was impacted by “significant cybersecurity incidents.” FDIC detected eight data breaches as departing employees improperly took sensitive information shortly before leaving the FDIC. The FDIC initially estimated that this sensitive information included the Personally Identifiable Information (PII) of approximately 200,000 individual bank customers associated with approximately 380 financial institutions, as well as the proprietary and sensitive data of financial institutions; however, the FDIC later revised the number of affected individuals to 121,633.
Because individuals may have access to sensitive or personally identifiable information as well as privileged access to critical infrastructure or business sensitive information (e.g., bank data), FDIC established the Insider Threat and Counterintelligence Program (ITCIP) in September 2016. ITCIP is a defensive program focused on preventing and mitigating internal and external threats and risks posed to FDIC personnel, facilities, assets, resources, and both national security and sensitive information by insider and foreign intelligence entities.
GAO pointed out that, “These threats may involve … intentional breaches of sensitive information by personnel who may be compromised by external sources, disgruntled, seeking personal gain, intending to damage the reputation of the FDIC, or acting for some other reason. ITCIP leverages both physical and logical safeguards to minimize the risk, likelihood, and impact of an executed insider threat.”
Section 17 of the Federal Deposit Insurance Act, as amended, requires GAO to annually audit the financial statements of the DIF and of the FRF. In addition, the Government Corporation Control Act requires FDIC annually prepare and submit audited financial statements to Congress, and provides GAO authority to perform the audit.
As of last December, according to GAO, “FDIC made progress during 2017 in addressing a significant deficiency that we reported in our 2016 audit. Specifically, FDIC sufficiently addressed the deficiencies in information systems access and configuration management controls such that we no longer consider the remaining control deficiencies in this area, individually or collectively, to represent a significant deficiency as of December 31, 2017.”
However, GAO also stated, “The FDIC must continue its efforts to mitigate cybersecurity risks at financial institutions and third-party technology service providers [TSPs] in order to protect the Deposit Insurance Fund and consumers. In this regard, the FDIC should continue building its capabilities to assess IT risks and trends and deploy IT examination staff commensurate with risks at FDIC-supervised institutions. Further, the FDIC should take prompt supervisory action when banks do not have effective information security programs.”
The importance of FDIC IT security can’t be understated. FDIC uses IT systems and applications to perform its several mission goals regarding safety and soundness for financial institutions, consumer protection, managing the DIF, and resolution and receivership of failed institutions. As GAO explained, “These systems and applications hold significant amounts of sensitive data. For example, the FDIC’s Failed Bank Data System contains more than 2,500 terabytes of sensitive information from more than 500 bank failures.”
FDIC systems also contain substantial amounts of PII, including, for example, names, Social Security Numbers, and addresses related to bank officials, depositors, and borrowers at FDIC-insured institutions and failed banks, and FDIC employees. Of the FDIC’s 261 system applications, 151 applications required Privacy Impact Assessments because they collect, maintain, or disseminate PII.
Further, GAO’s assessment of FDIC’s information security controls over key financial systems, data, and networks “identified information security deficiencies at the FDIC.”
For example, GAO said it “found that the FDIC did not implement sufficient controls to isolate financial systems from other parts of its network to prevent unauthorized users and systems from communicating with the financial systems.”
GAO further found FDIC did not implement sufficient controls over a privileged account used by systems engineers to manage the FDIC’s virtual environment. “As a result,” GAO said, “the FDIC had diminished ability to distinguish between authorized and unauthorized activity in the systems.”
According to GAO, these information system control issues “represented a significant deficiency in the FDIC’s internal control over financial reporting systems as of December 31, 2016.”
In the September 2017 OIG report, Controls over Separating Personnel’s Access to Sensitive Information, weaknesses were identified “in the management of contractor access to FDIC systems, data, and facilities.” The OIG audit stated, “separating contractor employees may present greater risks than FDIC employees, because the FDIC may not know as much about an individual contractor’s personnel history and the contractor may depart without advanced notice. Further, we found that the priority review of network activity using the Data Loss Prevention (DLP) tool was not conducted in the pre-exit clearance process for many contractors.”
It was estimated that “at least” 43 percent of FDIC contractors who separated between October 1, 2015 and September 30, 2016 were not subject to a DLP priority review.
“In addition, the FDIC could not locate clearance records for 46 percent of the contractors” OIG “sampled, and records management liaisons did not review data questionnaires before contractors separated in 94 percent of the cases we reviewed.”
A susbsequent OIG report in June 2017, Follow-on Audit of the FDIC’s Identity, Credential, and Access Management Program, found FDIC “did not maintain current, accurate, and complete contractor personnel data to ensure Personal Identity Verification (PIV) card (i.e., a badge) credential issuance to authorized FDIC contractors.”
“Absent reliable contractor information, PIV cards may not be issued and revoked in a timely manner, presenting an increased risk of unauthorized access to FDIC facilities and networks,” OIG concluded.
Another OIG audit report, The FDIC’s Processes for Responding to Breaches of Personally Identifiable Information, assessed the adequacy of FDIC’s processes to evaluate the risk of harm to individuals affected by a breach of PII and to notify and provide services to those individuals when appropriate. A sample of suspected or confirmed breaches occurring between January 1, 2015 and December 1, potentially affected 13,000 individuals.
“We found that the FDIC did not notify affected individuals until more than 9 months had elapsed from the date of discovery of the breaches. Further, we noted that the FDIC had not devoted sufficient resources to address a dramatic increase in breach investigation activities,” the OIG said.
In addition, the OIG “determined that the individuals responsible for examining the data breaches did not always have the necessary skills and training to ensure proper performance of their duties.”
In another recent OIG report, Audit of the FDIC’s Information Security Program – 2017, the OIG “identified FDIC security control weaknesses that limited the effectiveness of the FDIC’s information security program and practices and placed the confidentiality, integrity, and availability of the FDIC’s information systems and data at risk.
In the OIG evaluation, Case Study of a Computer Security Incident Involving a Technology Service, it reviewed allegations about a computer security incident potentially involving unauthorized access to unencrypted Personally Identifiable Information (PII) from multiple client financial institutions residing on a TSP computer server. The OIG “concluded that a poor internal control environment and a vague incident response policy limited the TSP’s ability to protect against the incident and hampered incident response efforts. The TSP did not collect or retain forensics information such as an image of the server, and it lacked a computer activity log to identify data access and exfiltration.”
The Office of the Comptroller of the Currency’s (OCC) Semiannual Risk Perspectives (Spring 2017), warned “TSPs are … targets for cybercrime and may provide a back door into bank operations through the supply of IT products and services that allow remote access and management of bank operations or applications.” OCC also identified concerns with large numbers of banks relying on a small number of TSPs.
“For example, OCC examiners identified third-party services for merchant card processing, denial of service mitigation, and trust account systems as instances of concentration among providers,” GAO reported, noting, “As such, if a TSP has its systems or information compromised, it may significantly impact a large segment of the banking industry.
GAO said FDIC IT examinations assess the management of IT risks, including cybersecurity, at FDIC supervised institutions and at select TSPs. “When examinations identify undue risks and weak risk management practices at institutions, the FDIC may use informal or formal enforcement procedures to address those risks and practices as well as deteriorating financial conditions, or violations of laws or regulations,” GAO said, noting, “many financial institutions maintain contracts with TSPs to outsource certain bank functions such as IT operations or business or product lines.”
The FDIC’s Performance Plan for 2017 indicated it would prioritize efforts “to protect its networks and data from unauthorized access, data breaches, and intrusions.” The plan further stated that the FDIC intends to implement technologies to improve its ability to classify and protect sensitive data. In 2017, FDIC updated its IT strategic plan, revised its Breach Response Plan, and established a new Office of the Chief Information Security Officer. The FDIC also issued PIV cards to all employees and contractors and began requiring use of the cards to access FDIC computers.
“Looking ahead,” GAO said, “the FDIC also plans to integrate cybersecurity into the FDIC-wide enterprise architecture and update its policies and procedures for expiring and outdated software and patch management.