Chinese hackers blamed for multiple breaches at US banking agency

“The committee’s interim report sheds light on the FDIC’s lax cybersecurity efforts”, Texas Republican Lamar Smith said in a statement.

According to The Hill, lawmakers in the U.S. have slammed the agency for failing to disclose the breaches until forced to do so by a formal investigation.

FDIC Chairman Martin Gruenberg and acting Inspector General Fred Gibson are scheduled to testify at a committee hearing on Thursday that will question whether the agency is safeguarding consumer banking information.

According to the report, which was released by the Republican-led Science, Space and Technology Committee, the agency then tried to hide the attacks. In one of the worst data breaches in US history, the personal files of 21 million Americans were stolen, and the federal personnel agency came under fire for neglecting to put in basic cybersecurity protections to prevent the plunder.

The FDIC declined to comment on the report. However, in a recent internal review, the agency admits that it “did not accurately portray the extent of risk” to Congress and recordkeeping “needs improvement”. The agency now claims that it is in the process of updating its policies.

Meanwhile, a former FDIC staffer was also described to Congress as “cooperative and non-adversarial” in handing over a storage device containing over 70,000 documents of personally identifiable information and bank records, when in fact the employee had hired an attorney to negotiate the return of the records with the FDIC. It alleges that FDIC employees were instructed by Russ Pittman, its chief information officer, not to discuss the Chinese hacking incidents.

It’s likely that China’s government compromised computers at the Federal Deposit Insurance Corp.

According to the committee, the first hacking was detected in 2010, and the problem reared its head again in 2011 and 2013.

The hacks, alongside a number of internal security breaches involving past staffers, were never declared to law enforcement or the US Computer Emergency Response Team (US-CERT), the authority that manages cyberattack responses in the US, the probe claims.

Asked what damage a foreign government could do with stolen FDIC information, the regulator’s inspector general pointed to details on bank contingency plans for bankruptcy, known as living wills, which could be used against US financial institutions.

Several cybersecurity experts – who have extensive experience guarding government computers – expressed dismay at the alleged cover-up.