WASHINGTON — The Federal Deposit Insurance Corp. failed to implement several measures that could have prevented at least eight cybersecurity breaches from departing employees over the last year, the agency's inspector general said in a pair of reports released Friday.
The two audits made a total 11 recommendations for the agency to improve its defenses against cyber-breaches, particularly those attributed to the agency's own staff. Among recommended steps were the creation of a "corporate-wide" program to deal with insider threats, and steps by the FDIC's chief information officer to block employees from copying files onto removable media.
In one audit, which analyzed the FDIC's general response to cybersecurity incidents, and how it notifies Congress, the IG said the agency could do better in detecting and reporting such events. The report focused on how the agency responded to an October 2015 breach in which, according to the audit, a Bank Secrecy Act specialist left the agency with sensitive FDIC data that the person had copied.
"Although the FDIC had established various incident response policies, procedures, guidelines, and processes, these controls did not provide reasonable assurance that major incidents were identified and reported in a timely manner," the watchdog said in the report.
In the other audit, the watchdog evaluated the agency's measures specifically for securing sensitive living will data. It dealt with a similar incident in 2015, in which a departing employee "abruptly resigned from the [FDIC] and took sensitive components of resolution plans without authorization," the report said.
In agency responses included with the reports, the FDIC said it would implement all of the proposed changes.
"The IG pointed out to us some things that we needed to do differently, and we're moving forward on them," said FDIC spokeswoman Barbara Hagenbaugh in a brief interview.
The audit related to living will data said the employee was revealed to have copied "sensitive components" from the resolution plans of three systemically important financial institutions. The former employee was unnamed in the report, but, according to sources, she is Allison Aytes. She allegedly copied the data, which apparently included high-level descriptions of the plans but no supporting appendices onto an unencrypted USB drive right before leaving the agency.
When law enforcement officials "subsequently recovered the USB device" in question, the report said, they also found the executive summary portion of a fourth living will plan in hard copy form. The former employee was also found to have undergone job interviews after her resignation with two of the financial institutions that had submitted the data, the IG said.
Her behavior had also been flagged by upper management several times in the years leading to the theft, the report said. "There were indications that the employee involved in the incident posed a heightened security risk and may not have been suited to work with highly sensitive corporate information, such as resolution plans."
Warnings signs included personal financial issues, disputes with management and performance concerns, the report said. Aytes had even violated security protocol by sending sensitive information unencrypted to personal email accounts. She "subsequently refused to acknowledge that this activity was prohibited," the report found.
Aytes was disciplined and eventually suspended without pay in July 2015. She then resigned in September. The download to her USB drive was allegedly detected on Sept. 29.
The inspector general recommended that to minimize the risk of sensitive information being leaked through employees, the agency should implement a "corporate-wide insider threat program." The watchdog also recommended that an information security manager be appointed just for the Office of Complex Financial Institutions — the department that primarily deals with living wills.
The other incident analyzed by the inspector general dealt with a Bank Secrecy Act specialist working for the FDIC in Gainesville, Fla., who allegedly took off with a USB drive containing more than 100,000 files, including upward of 10,000 Social Security numbers.
According to the report, when government officials sought to take possession of the drive, the employee referred them to an attorney and denied the incident had taken place.
The FDIC failed to classify this incident as "major" and report it to Congress after the passage of a memo from the Office of Management and Budget that would have required such measures, the IG found.
"Reasonable grounds existed to designate the incident as major as of December 2, 2015, and, as such, the incident should have been reported to the Congress not later than December 9, 2015," the report said. The incident was only reported to Congress in February of this year.
The report also called for improvements in the FDIC's data loss prevention tools to identify major incidents. In total, FDIC software that tracks downloads of sensitive data flagged more than 600,000 "potential security policy violations" between September 2015 and February 2016, the report found. Only one person was assigned to review these incidents, "which prevented [the FDIC's information security staff] from analyzing the vast majority of removable media events."
But the number of incidents is likely to decrease, the report suggested, because of recent efforts made by the agency to curb the use of removable media devices among its employees. As of June 28, the report said, only 6% of network accounts had the permission to download information on a USB drive or similar piece of hardware.
The only employees who are able to use these devices are either Government Accountability Office representatives, five individuals in the FDIC's legal division, and inspector general staff, Hagenbaugh said.
To improve incident response, the inspector general recommended that the CIO revise its policies and that the download tracking software be "better leveraged to safeguard sensitive FDIC information."