China blamed for US federal bank insurer hacks

Hacking attacks on the US Deposit Insurance Corporation, which underwrites bank deposit accounts, were most likely done by the Chinese government, a congressional committee has found. 

The report [pdf] by the House of Representatives science, space and technology committee said multiple breaches took place in 2010, 2011 and 2013. 

FDIC was late to report the breaches, which saw the hackers allegedly gain access to the computer of the agency's former chairman, chief of staff, and top legal officer, among others. 

A further two hacks last year leaked personal, sensitive information on more than 115,000 people. 

The committee sharply criticised the agency for having "purposefully evaded" oversight and for a "long-standing history of lack of transparency".

The committee also found the FDIC's security practices to be shoddy and lacking, and said the agency's culture was "defined largely by vindictiveness and retaliation", where employees live in fear if they criticise management. 

The report was scathing in its assessment of the FDIC's chief information officer, with one chapter titled "the CIO has created a toxic work environment and concealed important information from the FDIC chairman". 

"Testimony obtained by the committee shows that CIO Larry Gross has concealed information from FDIC chairman Martin Gruenberg about the purported success of initiatives for which the CIO advocates as measures to improve the agency's cybersecurity posture," the report stated. 

"For example, during meetings with the chairman Gruenberg, Mr. Gross inflated the potential success of [a] laptop initiative, as well as the FDIC's efforts to implement digital rights management (DRM)." 

The report went on to say that by presenting the chairman with a "limited set of facts surrounding major cybersecurity initiatives", the CIO silenced and ignored those who disagreed with him. 

The latest investigation is not the first time cybersecurity at the agency has been found to be lacking. 

In 2005, US Government Accountability Office auditors found the FDIC failed to ensure that all key control areas supporting its financial environment - including electronic access and network security - were routinely reviewed and tested. 

The GAO recommended at the time that the FDIC implement an ongoing, comprehensive process of tests and evaluations for the key control areas, which the agency said it had made progress on.