FDIC Latest Agency To Claim It Was Hacked By A Foreign Government

from the here's-some-things-that-were-said,-they-anonymously-explained dept

Another federal entity is reporting being hacked. And it's pointing its fingers (and the FBI, which is now investigating) at Chinese military hackers.

The FBI is investigating how hackers infiltrated computers at the Federal Deposit Insurance Corporation for several years beginning in 2010 in a breach senior FDIC officials believe was sponsored by China's military, people with knowledge of the matter said.

The security breach, in which hackers gained access to dozens of computers including the workstation for former FDIC Chairwoman Sheila Bair, has also been the target of a probe by a congressional committee.

Caught in the middle of all this are the financial transactions of millions of Americans, in addition to whatever sensitive government information might have been located on the FDIC's computers.

But claiming the Chinese were involved seems premature, even according to Reuter's own reporting, which relies heavily on a bunch of anonymous government officials discussing documents no one at Reuters has seen.

Last month, the banking regulator allowed congressional staff to view internal communications between senior FDIC officials related to the hacking, two people who took part in the review said. In the exchanges, the officials referred to the attacks as having been carried out by Chinese military-sponsored hackers, they said. The staff was not allowed to keep copies of the exchanges, which did not explain why the FDIC officials believe the Chinese military was behind the breach.

About the only thing confirmed is the FBI's presence, and that too relies on anonymous officials "familiar with the matter" who described the investigation as ongoing. That being said (anonymously), it's safer to assume the FBI is checking this out than it is to assume it was a state-sponsored attack. But there seems to be a new and undeniable urge to make attributions as quiickly as possible, even if the evidence doesn't conclusively point to anyone in particular.

What hasn't changed is the long delay between discovery and announcement. This hack happened more than five years ago and the FDIC spent nearly two years purging the system of the suspected hackers. Then it waited until it was being investigated by the FBI and Congress before acknowledging the security breach.

And it's not as though the FDIC has gotten everything locked down, despite being more than six years removed from a major breach.

This year, the FDIC has reported to Congress at least seven cybersecurity incidents it considered to be major which occurred in 2015 or 2016.

An annual report by the regulator said there were 159 incidents of unauthorized computer access during fiscal year 2015, according to a redacted copy obtained by Reuters under a Freedom of Information Act request.

Rather than major breaches by hackers, however, these incidents included security lapses such as employees copying sensitive data to thumb drives and leaving the agency.

Twenty of the incidents were confirmed data breaches, according to an FDIC document provided to Reuters by the U.S. House of Representatives Committee on Science, Space and Technology. That represents a higher number than was previously reported by the regulator under reporting guidelines for major incidents.

In response to these continued incidents, the FDIC has taken the bold step of… banning thumb drives. It appears the lengthy delays between discovery and disclosure will remain in place. In response to the Reuters report, a round of "no comments" was offered from a variety of government officials, as well as the contractor hired by the FDIC to rid its computers of invaders.

An earlier investigation by the House Science Committee does offer some support for the Chinese military hackers theory, but the only conclusion it reached was that the hack appeared to be China-based. Committee members were less than impressed with the FDIC's reluctance to cooperate with the probe and suspected staffers of trying to shield the new FDIC chairman from criticism. The Inspector General's report couldn't find any evidence confirming this assumption, but the 2013 report did find that top FDIC officials weren't even briefed on the discovered breach until more than a year after it was discovered. So, it's not just secrecy between branches of government. It's also secrecy within a single government body. And never mind the millions of Americans potentially affected. They'll always find out last.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Nick, 27 Dec 2016 @ 2:16pm

    Good job here. Nsa still useless for defense then?

    Maybe the nsa could start helping with all this "defending the country" stuff. Not as glamorous as spying or attacking though

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Dec 2016 @ 2:30pm

      Re: Good job here. Nsa still useless for defense then?

      You mean actually do the 2nd half of their job? I don't think you understand how valuable blackmail can be. Wasting time on defending the country from outside attack is pointless when you can ensure you retire with more power and influence than any king in history.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Dec 2016 @ 6:22am

        Re: Re: Good job here. Nsa still useless for defense then?

        Blackmail works all over. Leaking that Osama Bin Laden was watching porn or that the russian government has funded a doping program is quite a lot more valuable than stupid shit like identifying security risks and "national security" concerns. If you read the slides provided by Snowdens leaks you would understand that blackmail is a very high priority. That you inevitably pick up something with economic implications or domestic government implications is just a further blessing. The value of working US intelligence contracts is not only monetary...

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Dec 2016 @ 2:30pm

      Re: Good job here. Nsa still useless for defense then?

      You mean actually do the 2nd half of their job? I don't think you understand how valuable blackmail can be. Wasting time on defending the country from outside attack is pointless when you can ensure you retire with more power and influence than any king in history.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Dec 2016 @ 2:20pm

    How many foreign agencies have been hacked by the NSA?
    Is US hacking of other counties agencies somehow different?

    Perhaps making computer systems more secure by reporting vulnerabilities instead of hoarding them would be a better tactic.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Dec 2016 @ 6:28pm

      Re:

      Right-o.... Every hole that is left open by our side to exploit is a hole open for the other side to exploit... Duuuhhh.

      reply to this | link to this | view in chronology ]

  • icon
    Groaker (profile), 27 Dec 2016 @ 2:57pm

    And one of the most incredibly incompetent and useless US agencies -- HSA -- wants to take over cyber security for our nation.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Dec 2016 @ 3:01pm

    More civilians again caught between the waging of undeclared wars between the superpowers.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Dec 2016 @ 3:18pm

    "... banning thumb drives"

    Of course, finger drives are still allowed.

    reply to this | link to this | view in chronology ]

  • identicon
    Daydream, 27 Dec 2016 @ 4:09pm

    Let's keep this incident in mind when talking about the 'internet of things'.

    If a corporation can't protect financial information stored on hardware in its own territory, we should probably think twice about linking all our appliances to these easily disrupted networks.

    It would be horrible if hackers could hold your bluetooth/ethernet-enabled appliances for ransom; pay up or otherwise your front door doesn't unlock, your stovetop and refrigerator won't run, your TV's channels are kaput, your air conditioner will overheat the place...

    reply to this | link to this | view in chronology ]

  • identicon
    CHRoNoSS, 27 Dec 2016 @ 4:17pm

    @1

    only thing the nsa is good at is spying...lol they even will tell you all the really good hackers they had left....and those were ones they caught and went to work for them ....your getting back alllllllll that karma you burned by spying on allies and so called friends cause none of us even care when you get hacked anymore....

    THE UNITED STATES GOVT DESERVES IT

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 27 Dec 2016 @ 5:05pm

    Tissue of security

    "Them durn furriners! Why they gotta keep exposing our tissue of lies?!"

    reply to this | link to this | view in chronology ]

  • identicon
    Capt ICE Enforcer, 27 Dec 2016 @ 5:46pm

    What if?

    If only SOPA would have passed. None of this would have happened.

    reply to this | link to this | view in chronology ]

  • identicon
    ernesto the unreal, 27 Dec 2016 @ 9:01pm

    none of this matters

    more hacks means more budget next year, here is an idea, those in charge are publicly hung, not nice British break your neck hung slow strangle to death hung and to six degrees should die

    reply to this | link to this | view in chronology ]

  • identicon
    scott, 28 Dec 2016 @ 6:20am

    police shootings

    your usage of 'epidemic' makes this article laughable.
    This year there has been 16 unarmed black men killed by the police. The CDC sites just over 16,000 murders each year in the US ... how is 0.1% labeled 'epidemic' by you and the other 99.9% ignored?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Dec 2016 @ 6:40am

      Re: police shootings

      because it fits a political narrative and TD likes them for headlines.

      Remember news organization! They have the same motivations as the rest to do this.

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 28 Dec 2016 @ 11:58am

    bad server

    SIT STAY, BAD SERVER...
    We Automated you so we wouldnt NEED to WATCH YOU..
    BAD SERVER..
    We didnt Back you up, you are AUTOMATED, you do that..
    We didnt Update you, THATS your JOB, BAD SERVER..
    We didnt Encrypt you,
    We didnt Make you secure in 1-4, different ways, OUT of !00's..
    BAD SERVER..SIT STAY..

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.