Chinese Hackers Blamed for Multiple Breaches at FDIC

A U.S. congressional report released on Wednesday revealed that Chinese government-affiliated hackers were the likely culprits in multiple cybersecurity breaches of the Federal Deposit Insurance Corporation (FDIC) over a three-year period beginning in 2010. The intrusions were reportedly covered up by employees at the U.S. banking regulator to evade congressional oversight. At Reuters, Jason Lange and Dustin Volz report:

The report cited an internal FDIC investigation as identifying Beijing as the likely perpetrator of the attacks, which the probe said were covered up to protect the job of FDIC Chairman Martin Gruenberg, who was nominated for his post in 2011.

“The committee’s interim report sheds light on the FDIC’s lax cyber security efforts,” said Lamar Smith, a Republican representative from Texas who chairs the House of Representatives Committee on Science, Space and Technology. “The FDIC’s intent to evade congressional oversight is a serious offense.”

[…] The compromise of the FDIC computers by a foreign government had been previously reported in May and some lawmakers had mentioned China as a possible suspect, but the report on Wednesday for the first time cited a 2013 memo by the FDIC’s inspector general, an internal watchdog, as pointing toward China.

“Even the former Chairwoman’s computer had been hacked by a foreign government, likely the Chinese,” the congressional report said, referring to Gruenberg’s predecessor, Sheila Bair, who headed the FDIC from 2006 until 2011 when Gruenberg took over as acting chairman. [Source]

According to the congressional report, employees at the FDIC were instructed not to disclose information about the security breaches to avoid hampering the congressional approval of Martin Gruenberg as agency chairman, whom the U.S. Senate confirmed in November 2012. Jose Pagliery at CNN reports:

According to congressional investigators, the Chinese government hacked into 12 computers and 10 backroom servers at the FDIC, including the incredibly sensitive personal computers of the agency’s top officials: the FDIC chairman, his chief of staff, and the general counsel.

When congressional investigators tried to review the FDIC’s policy, the agency hid the hack, according to the report.

Investigators cited several insiders who knew about how the agency responded. For example, one of the FDIC’s top lawyers told employees not to discuss the hacks via email — so the emails wouldn’t become official government records.

[…] The report also says this culture of secrecy led the FDIC’s chief information officer, Russ Pittman, to mislead auditors. One whistleblower, whose identity is not revealed in the report, claimed that Pittman “instructed employees not to discuss… this foreign government penetration of the FDIC’s network” to avoid ruining Gruenberg’s confirmation by the U.S. Senate in March 2012. [Source]

IDG News Service’s Grant Gross writes that the FDIC failed to promptly report to Congress about two additional data breaches that occurred in 2015. The banking regulator will be facing additional rebukes by lawmakers for its lax cybersecurity practices and lack of transparency.

The report is the latest U.S.  allegation against China in recent years. Washington previously accused Chinese hackers of conducting major data breaches at the federal Office of Personnel Management, which compromised the personal information of millions of U.S. government employees. Although  activities originating from China continues to pose a threat to the U.S., recent reports have suggested a significant decrease in Chinese hacking operations since Beijing struck an agreement with Washington last September to refrain from conducting cyber-enabled theft of intellectual property for commercial gain.