FDIC Latest Agency To Claim It Was Hacked By A Foreign Government
from the here's-some-things-that-were-said,-they-anonymously-explained dept
Another federal entity is reporting being hacked. And it's pointing its fingers (and the FBI, which is now investigating) at Chinese military hackers.
The FBI is investigating how hackers infiltrated computers at the Federal Deposit Insurance Corporation for several years beginning in 2010 in a breach senior FDIC officials believe was sponsored by China's military, people with knowledge of the matter said.
The security breach, in which hackers gained access to dozens of computers including the workstation for former FDIC Chairwoman Sheila Bair, has also been the target of a probe by a congressional committee.
Caught in the middle of all this are the financial transactions of millions of Americans, in addition to whatever sensitive government information might have been located on the FDIC's computers.
But claiming the Chinese were involved seems premature, even according to Reuter's own reporting, which relies heavily on a bunch of anonymous government officials discussing documents no one at Reuters has seen.
Last month, the banking regulator allowed congressional staff to view internal communications between senior FDIC officials related to the hacking, two people who took part in the review said. In the exchanges, the officials referred to the attacks as having been carried out by Chinese military-sponsored hackers, they said. The staff was not allowed to keep copies of the exchanges, which did not explain why the FDIC officials believe the Chinese military was behind the breach.
About the only thing confirmed is the FBI's presence, and that too relies on anonymous officials "familiar with the matter" who described the investigation as ongoing. That being said (anonymously), it's safer to assume the FBI is checking this out than it is to assume it was a state-sponsored attack. But there seems to be a new and undeniable urge to make attributions as quiickly as possible, even if the evidence doesn't conclusively point to anyone in particular.
What hasn't changed is the long delay between discovery and announcement. This hack happened more than five years ago and the FDIC spent nearly two years purging the system of the suspected hackers. Then it waited until it was being investigated by the FBI and Congress before acknowledging the security breach.
And it's not as though the FDIC has gotten everything locked down, despite being more than six years removed from a major breach.
This year, the FDIC has reported to Congress at least seven cybersecurity incidents it considered to be major which occurred in 2015 or 2016.
An annual report by the regulator said there were 159 incidents of unauthorized computer access during fiscal year 2015, according to a redacted copy obtained by Reuters under a Freedom of Information Act request.
Rather than major breaches by hackers, however, these incidents included security lapses such as employees copying sensitive data to thumb drives and leaving the agency.
Twenty of the incidents were confirmed data breaches, according to an FDIC document provided to Reuters by the U.S. House of Representatives Committee on Science, Space and Technology. That represents a higher number than was previously reported by the regulator under reporting guidelines for major incidents.
In response to these continued incidents, the FDIC has taken the bold step of… banning thumb drives. It appears the lengthy delays between discovery and disclosure will remain in place. In response to the Reuters report, a round of "no comments" was offered from a variety of government officials, as well as the contractor hired by the FDIC to rid its computers of invaders.
An earlier investigation by the House Science Committee does offer some support for the Chinese military hackers theory, but the only conclusion it reached was that the hack appeared to be China-based. Committee members were less than impressed with the FDIC's reluctance to cooperate with the probe and suspected staffers of trying to shield the new FDIC chairman from criticism. The Inspector General's report couldn't find any evidence confirming this assumption, but the 2013 report did find that top FDIC officials weren't even briefed on the discovered breach until more than a year after it was discovered. So, it's not just secrecy between branches of government. It's also secrecy within a single government body. And never mind the millions of Americans potentially affected. They'll always find out last.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: china, fdic, hacking, us government
Reader Comments
Subscribe: RSS
View by: Time | Thread
Good job here. Nsa still useless for defense then?
[ link to this | view in chronology ]
Re: Good job here. Nsa still useless for defense then?
[ link to this | view in chronology ]
Re: Re: Good job here. Nsa still useless for defense then?
[ link to this | view in chronology ]
Re: Good job here. Nsa still useless for defense then?
[ link to this | view in chronology ]
Is US hacking of other counties agencies somehow different?
Perhaps making computer systems more secure by reporting vulnerabilities instead of hoarding them would be a better tactic.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"... banning thumb drives"
[ link to this | view in chronology ]
Let's keep this incident in mind when talking about the 'internet of things'.
It would be horrible if hackers could hold your bluetooth/ethernet-enabled appliances for ransom; pay up or otherwise your front door doesn't unlock, your stovetop and refrigerator won't run, your TV's channels are kaput, your air conditioner will overheat the place...
[ link to this | view in chronology ]
@1
THE UNITED STATES GOVT DESERVES IT
[ link to this | view in chronology ]
Tissue of security
"Them durn furriners! Why they gotta keep exposing our tissue of lies?!"
[ link to this | view in chronology ]
What if?
[ link to this | view in chronology ]
none of this matters
[ link to this | view in chronology ]
police shootings
This year there has been 16 unarmed black men killed by the police. The CDC sites just over 16,000 murders each year in the US ... how is 0.1% labeled 'epidemic' by you and the other 99.9% ignored?
[ link to this | view in chronology ]
Re: police shootings
Remember news organization! They have the same motivations as the rest to do this.
[ link to this | view in chronology ]
bad server
We Automated you so we wouldnt NEED to WATCH YOU..
BAD SERVER..
We didnt Back you up, you are AUTOMATED, you do that..
We didnt Update you, THATS your JOB, BAD SERVER..
We didnt Encrypt you,
We didnt Make you secure in 1-4, different ways, OUT of !00's..
BAD SERVER..SIT STAY..
[ link to this | view in chronology ]