FDIC Latest Agency To Claim It Was Hacked By A Foreign Government

from the here's-some-things-that-were-said,-they-anonymously-explained dept

Another federal entity is reporting being hacked. And it’s pointing its fingers (and the FBI, which is now investigating) at Chinese military hackers.

The FBI is investigating how hackers infiltrated computers at the Federal Deposit Insurance Corporation for several years beginning in 2010 in a breach senior FDIC officials believe was sponsored by China’s military, people with knowledge of the matter said.

The security breach, in which hackers gained access to dozens of computers including the workstation for former FDIC Chairwoman Sheila Bair, has also been the target of a probe by a congressional committee.

Caught in the middle of all this are the financial transactions of millions of Americans, in addition to whatever sensitive government information might have been located on the FDIC’s computers.

But claiming the Chinese were involved seems premature, even according to Reuter’s own reporting, which relies heavily on a bunch of anonymous government officials discussing documents no one at Reuters has seen.

Last month, the banking regulator allowed congressional staff to view internal communications between senior FDIC officials related to the hacking, two people who took part in the review said. In the exchanges, the officials referred to the attacks as having been carried out by Chinese military-sponsored hackers, they said. The staff was not allowed to keep copies of the exchanges, which did not explain why the FDIC officials believe the Chinese military was behind the breach.

About the only thing confirmed is the FBI’s presence, and that too relies on anonymous officials “familiar with the matter” who described the investigation as ongoing. That being said (anonymously), it’s safer to assume the FBI is checking this out than it is to assume it was a state-sponsored attack. But there seems to be a new and undeniable urge to make attributions as quiickly as possible, even if the evidence doesn’t conclusively point to anyone in particular.

What hasn’t changed is the long delay between discovery and announcement. This hack happened more than five years ago and the FDIC spent nearly two years purging the system of the suspected hackers. Then it waited until it was being investigated by the FBI and Congress before acknowledging the security breach.

And it’s not as though the FDIC has gotten everything locked down, despite being more than six years removed from a major breach.

This year, the FDIC has reported to Congress at least seven cybersecurity incidents it considered to be major which occurred in 2015 or 2016.

An annual report by the regulator said there were 159 incidents of unauthorized computer access during fiscal year 2015, according to a redacted copy obtained by Reuters under a Freedom of Information Act request.

Rather than major breaches by hackers, however, these incidents included security lapses such as employees copying sensitive data to thumb drives and leaving the agency.

Twenty of the incidents were confirmed data breaches, according to an FDIC document provided to Reuters by the U.S. House of Representatives Committee on Science, Space and Technology. That represents a higher number than was previously reported by the regulator under reporting guidelines for major incidents.

In response to these continued incidents, the FDIC has taken the bold step of… banning thumb drives. It appears the lengthy delays between discovery and disclosure will remain in place. In response to the Reuters report, a round of “no comments” was offered from a variety of government officials, as well as the contractor hired by the FDIC to rid its computers of invaders.

An earlier investigation by the House Science Committee does offer some support for the Chinese military hackers theory, but the only conclusion it reached was that the hack appeared to be China-based. Committee members were less than impressed with the FDIC’s reluctance to cooperate with the probe and suspected staffers of trying to shield the new FDIC chairman from criticism. The Inspector General’s report couldn’t find any evidence confirming this assumption, but the 2013 report did find that top FDIC officials weren’t even briefed on the discovered breach until more than a year after it was discovered. So, it’s not just secrecy between branches of government. It’s also secrecy within a single government body. And never mind the millions of Americans potentially affected. They’ll always find out last.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FDIC Latest Agency To Claim It Was Hacked By A Foreign Government”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Good job here. Nsa still useless for defense then?

You mean actually do the 2nd half of their job? I don’t think you understand how valuable blackmail can be. Wasting time on defending the country from outside attack is pointless when you can ensure you retire with more power and influence than any king in history.

Anonymous Coward says:

Re: Re: Good job here. Nsa still useless for defense then?

Blackmail works all over. Leaking that Osama Bin Laden was watching porn or that the russian government has funded a doping program is quite a lot more valuable than stupid shit like identifying security risks and “national security” concerns. If you read the slides provided by Snowdens leaks you would understand that blackmail is a very high priority. That you inevitably pick up something with economic implications or domestic government implications is just a further blessing. The value of working US intelligence contracts is not only monetary…

Daydream says:

Let's keep this incident in mind when talking about the 'internet of things'.

If a corporation can’t protect financial information stored on hardware in its own territory, we should probably think twice about linking all our appliances to these easily disrupted networks.

It would be horrible if hackers could hold your bluetooth/ethernet-enabled appliances for ransom; pay up or otherwise your front door doesn’t unlock, your stovetop and refrigerator won’t run, your TV’s channels are kaput, your air conditioner will overheat the place…

CHRoNoSS says:


only thing the nsa is good at is spying…lol they even will tell you all the really good hackers they had left….and those were ones they caught and went to work for them ….your getting back alllllllll that karma you burned by spying on allies and so called friends cause none of us even care when you get hacked anymore….


Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...