OCR of the Document

View the Document >>

Jon T. Rymer, Inspector General, Federal Deposit Insurance Corporation, Memorandum for: Martin J. Greenberg, Chairman, Subject: Investigation of Division of Information Technology Computer Security Incident, May 24, 2013. Unclassified.

Enclosure 3 role 2 Fedora-Deposit insurance Corporation 3501 Drive Arlington VA 22226 Cities of iris actor Gerrard Date May 24 2018 To Martin Chairman From Inspector General Subject investigation of Division of ini ormation Technology Computer Security Incident Securing government information is essential to the economic and national security interests of the United States The possesses a huge Volume of information needed to accomplish Remission protect itsassets ful ll its iegal responsibilities maintain day today functions and protect individuals Much of this information is highly sensitive and some is proprietary The Fun employs and manages a multitude of complex systems and applications that store process and transmit this sensitive information The FDIC Board of Directors entrusts responsibility for the safety and security of the information to the Division of information Technology The attached report presents the results of the FDIC GiG s investigation of Dles handling of a sedans computer security incident involving the penetration of PM computer systems by an advanced persistent threat AFT on management officials breached their duties in their handling of this incident As such the Corporation was unduly subjected to increased risk and a-ctuai unauthorized access to and exfiitration of sensitive data Our work suggests that there are a number of matters that warrant your attention As our report explains in more detail once aware of the security incident chose to keep the preponderance of related information and decision-making within its own Division The decision to do so was grounded in DlT s assessment that the incident was an opeiational matter This assessment was and remains today fundamentally floured and resulted in the FDIC not taking actions that should have begun at the outset in August 2011 incidents involving Amt occur with some frequency as the gdvomment and private industry nd themselves as targets of a wide variety of malicious actors However frequent incidents involving ArTs are highiy signi cant events that should trigger prompt discioddres to multiple parties outside of the organization under attack as weil as an enterpriselevei assessment of the conseCiUences of the attack within the organization itseif - Motorist For Of cial Only 2 Enclosure in order to implement the ilawad assessment that the presence of signi cant and widespread APT activity within the network was an operational matter managers elected not to report or to underreport information regarding the incident over an extended period of time Specifically a Dl l did not fully inform you other Board Members and the Chief Risk Of cer of the severity and magnitude of the intrusion The only brie ng that you received minimized the extent of the penetration of the system while emphasizing that had the situation under control As a result you and others who are entrusted with ultimate governance and risk managem ant responsibilities at the 5ch looked critical knowledge on which to take responsive actions that you may hays deemed appropriate under the circumstances You were not updated on information subsequently deVeloped by or the progress and efficacy of mitigation efforts which continue through the date of this report - DIT violated its own policies and procedures for handling computer security incidents and did so deliberately Established policy for reporting computersecurity incidents to the were not followed and forming an incident response team comprised of a broad representation of FDIC of cials from multiple FDIC Divisions and Of ces never occurred As such procedures designed to ensure an enterprise leVei assessment of the incident and Dii s response to it including procedures designed to protect and safeguard personally identi able information were lrcumvented - Counterparties to interconnection Sensitivity Agreements with the FDiC Jchat is other federal nancial regulators government agencies nancial institutions and private-sector service proiIlders were not noti ed of the computer security incident Under these agreements counterpartles have the right to assess for themselves the potential impact that penetration of the systems could have on them or their data Such an analysis cannot be performed unilaterally by the FDIC in failing to notify these parties managers may have exposed the FDIC to significant risk a in violation of policies and procedures and federal guidelines until May 2013 management chose not to report the security incident in any meaningful Way to US CERT the central national authority responsible for tracking analyzing and coordinating responses to computer security incidents including APTs that attack Us government systems As such US CERT did not have the bene t of FDIC data to incorporate in US efforts to protect the nation s cyber security and manage cyber risks As evidenced in recent press nations are engaging in sophisticated attempts to gain access to military nancial and other con dential or proprietary data As outlined in government wide guidance information related to the infiltration at the FDIC should have been fully disclosed to US CERT in a timely manner and updated on a continuing basis - - 9 Finally with respect to auditors from the Goverhrnent Accountability Office GAO and the the non-disclosures or misstatements on the part of call into question the underlying factual basis for opinions arid that the GAO andOlG reached in their respective audit wade namely nancial statement audit work and the 016 s Work in 2011 and Con dential Invas ga veMaterial For Of cial Use Only Enclosure - 2012 pursuant to the Federal information Security Management Act FISMA of 2002 At a minimum DlT s behavior necessitated signi cant additional work on the part of both sets of auditors as they sought to determine the effects of non-disclosures on their audit products long afterthese products had been completed management's behavioi also changed the dynamic of the relationship between the auditors and the auditee in ways that are not yet fully understood Much of audit work is based on a trust relationship and once that trust is violated the reiationship may he irreparably damaged On May 16 2013 the FDIC filed an updated notice with US CERI of the security incident with information thatshouid have been in the initial August 2011 ling This information is required to be led within one hour of the detection of the incident but was provided more than 20 months later The notice suggests that it encapsulates multiple events that had been previously reported Based on our review the relevant events ware not reported or were reported in such a manner so as to be meaningless in addition to the matters specifically addressed in our report We belieVe that your attention to management s continuing approach to the handling of the security incident is warranted The BIG is monitoring the actions that is taking related to handling computer security threats We will be evaluating these actions in more detail as part of our 2013 audit Given the signi ca nce of the APT itseii and the resuits of our investigation i will be notifying appropriate Congressional Committees of this matter as i am required to do under theJnspeetor General'Act in the interim we request that you inform us of any actions that you take to address the ndings in our attached investigative report 3 Con dential invastigative Material -- For Official Use @1113 i I rota Enclosure Federal Deposit insurance Corporation 3501 Fairfax Drive Arlington Virginia 22226 Office of Inspector General Date May 24 2013 Memorandom 0 Martin I Gruenberg Chairman From Ryma nspectorGenera Subject investigatioh'of Division of Information Technology Computer Security Incident The' security of government informationis important to the economic and national security interests of the United States The a large volume of information it needs to accomplish its assigned mission protect its assets ful ll its legal responsibilities maintain its day-today functions and protect individuals The FDIC in carrying out its wide range of responsibilities employs and manages a complex variety of systems and applications that store process and transmit this sensitive information The FDIC Board of Directors has entrusted the Division of information Technology BIT with the responsibility of making sure that information is safe and secure In October 2010 911 became aWare that an FDIC employee's desktop computer had been compromised by an advanced persistent threat1L APT An APT presents challenges that are distinct from traditional security risks in that the threat is long term sophisticated and targeted to a specific organization or entity executed remediation steps in an attempt to' eradicate the compromise in August 2011 DIT was alerted loy'a third party-the Federal Bureau of investigation FBli to network activity indicating another potential security incident involving an APT DIT found in April 2013 that the 2010 and 2911 incidents were related attempts by the same APT - DIT has subsequently determined that the APT penetrated over 90 workstations or servers with specialiZed tools that ultimately allovved the creation of valid administrator accounts providing full access to the Windows environment Approximately 90 percent of the information technology activities are conducted in Windmills DIT also discovered evidence that the APT had exported data from FDIC machines to servers outside the FDIC network Twelve of the infected computers were those of FDIC executiVes including the former FDIC Chairman Director and Deputy fern 1 The Nationai institute of Standards and Technology defines an APT as an adVersar'y that possesses significant levels of expertise creates opportunities to achieve its oblectives by using multiple attack vectors and establishes footholds within the infrastructure of targeted organizations to ex ltrete information undermine critical aspects of a mission or program and position itself to carry out theSe objectives lathe future 1 Con dential Investigators Material For Official Use Only Enclosure Director of the Office of International Affairs 01A former General Counsel and Chief Economist Attachment 1 presents a listing and brief explanation of the or servers Investigation in March 2013 the FDIC Office of Inspector General 016 received information that caused the DIG to ask BIT management about DiT s notification and handling of the security incident The information that We initially received on this matter raised serious concerns as to how it was managed and communicated within and outside the Corporation Accordingly the SIG initiated an investigation to understand the events surrounding the security incident During the period from April 1 2013 through May 22 2013 we interviewed 22 Dii employees includin Ros Pittman the Director and Chief Information Officer 310 and Chief Privacy Of cer Deputy Director and Chief Information Security Officer 080 Roderick'ioms Assistant Dli Director Security Protection Engineering Section FDIC Chairman Martin Gruenberg members of the FDIC Chairman s staff senior FDIC officials Government Accountability Office GAO representatiVes and Special Agents from the $31 to determine steps taken timeframes and noti cations regarding the incident in conduoting our work we reviewed DiT's communications with senior of cials and others inciuding email communications and applioable policies procedures and mandatory noti cation requirements We also considered the disclosures that 911 made to GAO and OIG auditors as these auditors were conducting audit work reiated to the nancial statements of the FDIC and the Federal Information Security Management Act of 2002 Fish IA respectively i The following sections of this report present the results of our investigation We first include a chronology of key events We then discuss DiT s communication-of the computersecurity incident to the FDIC Chairman and other senior o iciois 2 cidheren co to certain FDIC and government wide policies procedures and guidelinesfor dealing with computer sectirity'incidents 3 notifications to parties external to the and 4 disclosures to GAO and GIG auditors Chronoiogy of Key Events October 2010 Aforme I - ecial Agent now working in a different agency 'contac FDIC OIG Special Agent in Charge SAC of the Electronic CrimesVU'nit concerning a computer security incident involving the While performing Weekend reserve duties conducting til bar investigations he discovered an lPadclress belonging to on role workstation thatvvas heartening outto a known malicious command andycont server on'tsida of the FDIC network SAC Senior lTSeCtirity Specialist FDIC October 19 2010' The former Speciai Agent SAC a Assistant-Inspector General for investigations Matt Alessandrino to discuss the incident 2 Confidential invas gative Material For Of cial Use Only October 28 2010 November 18 2010 August 2011 August 10 2011 August-2011 August 26 2011 August 33 2011 October November 20 11 SA to the United States porn I uter Emergencv Readiness Team US in Arlington Virginia rovides US CERT a copy of the malware found on the Mine trend a regularly scheduled cyber working - provides a copy of the image of'the compromised me he 0 groupfor analysis The heed ofth'e group indicates that another government agency is at the late stages of a broader inve tigation to which the information pertained plans to continue to ldok for other compromised computer s and'perfo rm needed remediation The 016 decides not toinvestigate ecause of the risk of disrupting another agency s investigation meeting with the FBI Speciai'Agent 0 set up a meeting to discuss volving the network malicious activity has downloaded files to an FDIC 1 address I Dii initiates arr-investigation of th eating with the command en'd control informed SA but cannot attend He rec untii iviarch 2013 brief the then Acting Chairman Chief of Staff Risk Officer on the security incident Mr Pittman and 1 former Chief of - an security of cial directs the Computer Security incident Response Team to open a new generalvirus inciden and report the incident to US as a Category 3 Event Virus determines that the risk associated with the security incident is signi cant enough to warrant a number of shore medium and longnterm actions including the rebuilding of several compromised servers and workstations requiring a shutdown of the network and the resetting of passwords The rebuilding event is originally planned forthe 3 day Columbus holiday Weekend in October 2011 but postpones the event to the Sadat Veteran s Day Weekend in Novarnber 2011 Note Network shutdown does not take place 3 Con d ential hvesii ga vc Mata ai For Of cial Use Oniy EnclosUre submits a midterm budget request to contract with Mandiant Corporation a either-security company that assists organizations in'deeling with targeted cybemttacks on their ne oNorks several phone conVersations with Mandiant to'discuss wort nee contractual issues Summer Fall 2612 January 18 2013 The FDlCIexecutes' a contrast with the Mandiant with an effective date of December 21 2012 The Achiective of the contract is to assist the FDIC in responding to a suspected security incident and to help identify and investigate remedial efforts The contract had been proposed in mid-2012 but according to a DIT official was delayed by contrasting and budgeting issues The inspector Generai meets with inn Pittman and informs M r Pittman that the 016 has independently learnedthat the PM has been subject to a sophisticated network compromise that began in 2010 March 25 2013 General and certain senior staff meet with Mr Pittman and Mr Toms to discuss the network compromise inciuding notifications during the computer security incident ates that the Old and GAO were told of the events Further according to Mr Pittman the Chairman and one other Board member had been briefed and the incident was contained March 25 2013 ins actor March 25 2013 DIG initiates an investigation of events surrounding the incident DlTlearns from Mandiant that the October 201C and the August 2011 April 2 2013 incidents-involVe the same APT Communications with the FDIC Chairman and Other Senior Officials As outlined in the policy for reporting computer security incidents has an obligation to evaluate the seriousness of computer security incidents and inform senior management and the GIG within 24 hours Mr Pittman told the on March 26 2013 that the Chairman and senior staff were aware of the incident and that the incident had been so ntained As part of our investigation we interviewed the Chairman his Chief of Staff Barbara Ryan staff of other FDIC Board Members the Chief Financial Officer and the Chief Risk Of cer to determine their level of awareness of the computer security'incident We learned that the Chairman and senior A management were not aware of the scope or severity of the incident and were not kept apprised of its ongoing nature on Angust 26 2011 the Chairman s staff received a brie ng from Mr Pittman an concerningthe computer security incident in the materials prepared for the brief rig that it is addressing a malware is extremely professional and well crafted Materials indicate that has identified 78 computers that were compromised he 12 servers 49 desktops 15 laptops and 2 e copiers and multiple data exiiltrations from the network The 4 Confidential investigative Material For Official Una Only Enclosure Enclosure briefing materials listed 12 executiyes whose computers were compromised including the former Chairman Director and Deputy Director of on former General Counsel Chief Financiai Officer and Chief Economist Those attending the August 25 2011 meeting stated that not all of this information was communicated by during that meeting in an interview Chairman Gruenberg advised that Mr Pittman did the majority of the presentation The Chairman recalls receiving an articie from Vanity Fair magazine and a 2 page summary that may have been collected at the end of the brie ng He indicated that Mr Pittman s briefing was a general summary of a security issue that Di'i had been noti ed of by the Hit Mr Pittman indicated that was working withtha to address an intrusion attempt by a foreign entity According to the Chairman the tone of the briefing suggested the matter was a routine computer security event that is common throughout the federal government Mr Rittman indicated that DIT was aware of i the threat identified the affected computers contained the problem and had implemented safeguards and procedures to address the security concerns The Chairman was unantare oithe earlier possibility of shutting down the computer systems or service or the hiring of contractors to assist with the matter in an interview Ms Ryan stated that the August 26 2011 meeting had lasted about an hour She indicated that Mr Pittman s briefing involved a Vanity Fair article about hacking titled Enter the Cybeerragon which he used to explain how common the incident Wasamong other organizations He explained there were workstations affected but 011' had controls in place to handle the issue and was working with the ESL Ms Ryan also stated that Mr Pittman discussad how 15 megabytes of data had been ex itrated from the farmer Chief of Staff s computer Mr 'Pittman explained that the 15 megabytes of data had been ehported but because the detailed been before export 031' could not identify any of the data that had been lost 2 Ms Ryan recalied Mr Pittman so in that the computer security incident was contained She stated that Mr ittman and tone lacked a sense of orgency aboutthe computer security incident Ms Ryan was unaware that DIT had planned to shut the nenyork down for 3 days in October or November 2011 in order to implement certain remedial actions She was also unaware until just recently that 011 had attempted to contract with Mandiant to assist the FDIC in dealing with targeted cyber attacks on the FM network Both the Chairman and Ms Ryan indicated that the Aegust 26 2011 brie ng was the last briefing that the Chairman s Of ce received from concerningthe computer security incident Both further noted it was not broUght up again dntil March 2013 when the FDIC DIG noti edthe Chairman and his staff about possible reporting issues concerning the intrusion in connection with the OiG s MA reporting for 2011 and 2012 Steve Quick attended the August 25 2011 briefing given by Mr Pittman and Mr Quick started working at the FDIC In mid August 2011 Mr Quick stated man did most of the speaking and be Mr Pittman explained how the FDIC had been attacked by hackers that'left some code on several of the machines Mr Pittman handed out an article to everyone at the briefing titled Enter the Cyber-Dragon from Vanity Fair The FDins Chierc Ris 1 We hare subsequently learned that some of'the information had not been but no efforts had been made to determine what type of information this Was 'notwithstanding that the flie names appear to be sensitive 5 Con dential Intros iigetiVe Material For Official Usa Oniy Mr Quick stated Mr Pittman may have handed out something else during the brie ng but he Mr Quick does not remember He Was shown brie ng material prepared by Mr Pittman but did not recall seeing such a document at the meeting Mr Quick stated that Mr Pittman said had identified the code and the external server invoiVed in the incident and had stoppedit Nlr Pittman told the group that had the intrusion well controlled and also mentioned that more than 10 servers had been infected Mr Pittman said that the code the hackers left behind Would beacon out to servers outside of the Mr Pittman said had identified the hackers iP addresses and because of DiT s early detection and remediation there was riot much damage to the ivlr Pittman said he would keep everyone informed of any new developments involving the intrusion Mr Quick did not receive another computer intrusion briefing from anyone in 011 until March 2013 Mr Quick stated that lVlr Pittman s style is to always express confidence and that he gave everyone the impression at the briefing he was on top of the situation Mr Quick stated that he got the impression from the August 26 2011 briefing that this kind at event happens all the time and the situation Mr Quick stated that he does not remember Mr Pittman or mentioning anything about data beingexfiltra ted by the he ckers during the briefing Mr Quick also stated that he attended a meeting in October 2012 about cellular devices and overseas travel butthe computer security incident was only briefly mentioned Mr Qdick vaguely remembers being told something about a network shutdown in the fall of 2011 and never associated it with the computer security incident Mr Quick was not aware that had contracted- with Mandiant until just recently in April 2013 the Chairman s staff received'mUltipl-e separate briefings from and the Old about the computer security incident it was from the that thechairrnan's Office became aware that the incident may still not be contained In another interview the Chief Financial Officer Steve an ated that in August 2011 Rue Pittman told him that the FBI had recently met with nd informed him that there was a security incident at the FDIC Mr App described it as an emai errant He was aWare of the August 26 2011 briefing but did not attend He Was told by Mr Pittman that the intrusion was under control and that contractors Were helping out Mr App mentioned several times that the same type of event was happening all over town to other organizations lie stated he Was not aware of what the intrusion was or how significant it was He stated there were some processes that should have followed during the incident such as a Privacy incident Response Team as discussed in the next section of this report and He did not know whether the Chairman and his staff were aware of the ongoing threat related to the intrusion He was aware that had planned a Beday remediation that involved shutting down the network and thought it was a routine event He thought the incident Was contained and still thinks it is contained st Mr Pittman stated in an interview that he thought the Chairman understood the issue He did not inform the Chairman of the planned 8-day shut-down but stated that he had informed the We have become aware that Mandiant has recommended that take speci c additional steps and follow additional best practices 5 Con dentiallnves gatiw Material For Of cial Use @1113 Enclosure 1C Enclosure I Chairman s office that some sewers needed to be worked on due to the intrusion he did not think he told the Chairman's office about Contracting with Mendiant stated in an interview that he had givenwir bullet points for the Chairman 3 its on ting about the Security incident He stat'ed that he did not remember telling the Chairman s office that the computer security Incident was contained a 150 stated that he and Mr Pittman had decided-t0 keep information on yery'close hold With respect to other Board is the internal Board Members abated on intervienrs with their Deputies the Directors either had no knowledge or had never been informed of the severity of the computer security incident - We understand from on that it has briefed a number of senior FDIC and GAO officials sohsequent to our March 26 2018 meeting with however it was not within the scope of our inVestigation to confirm ail such meetings FDIC Policies and Procedures The i ch provides policy and guidance on responding to computer security incidents breachesof sensitive information and breaches of Personally identifiable information PH See Attachment 2 for a listing of applicable documents DIT management chose notto follow sevarai FDIC policies and procedures related to such incidents FDIC policy defines some key terms that are relevant to our report as follows a A computersecurityincident is an eyent that threatens the security of FDIC Automated Information Systems including computers mainira me networks software and associated equipment and information stored ortransmitted using that equipment As also stated in the policy Automated information Systems may be threatened by for example attempts by unauthorized individuals to gain access to the systems or any attempt to gain access to FDIC data when not authorized to view it Sensitive information Is any information the loss misuse or unauthorized access to or modification of which could adversely impact the interests of FDIC in carrying out its programs or the privacy to which individuals are entitled Pi is any information about an individual maintained by the FDIC which can be used to distinguish or trace that individuai s identity A key procedure repeated in FDIC policies is the notification and involvement of DiT s All users or FDIC computer systems are required to report suspected computer security incidents to CSIRT which will investigate track and resolve all reported security incidents and report security incidents affecting generai support systems and major applications to the CIO and FDIC management officials responsible for the security of FDIC resources CSIRT is a component of the Information Security Staff operates under the authority of the and is authorized to address computer security incidents that occur or threaten to occur at the FDIC With respect to sensitive information once a CSIRT investigation has been completed and it is determined that no breach of sensitive information has occurred the CIO or CISO will request that 7 Con dential Invastigative Material For Official Use @I y 1 1 Enclosure close the incident Any other determination requires the convening of a management incident Response Team mm to assess and respond to the breach of sensitive information and discuss further actions As for a breach or Pli a Privacy incident Response Team would be assembled Both the and the consist of a diverse group of senior officials the Cir 050 representatives from the Legal Division Of ce of Legislative Affairs Office of Communications Office of the Ombudsman Executive Office and Division information Security Managers The PiR i also includes the rivacy Program Manager One purpose that diverse representation on the andPlilT serves is to ensure broad consideration of enterprise level risks attendant on the compromise of data Once convened the are required to assess the data submitted by and determine the appropriate course of action within 24 hours of the breach noti cation However if data analysis requires additional time to complete the Response 'i eem may extend the 24-hour timeframe The procedures for the and call for both teams to engage in a series of sequential steps including determining the nature of the loss and conducting a risk assessment determining potential impact and mitigation measures breach noti cations and completing mitigation activities and lessons learned procedures for responding to sensitive information or breaches state that an effective and quick response in the event'of a breach is criticai to efforts to prevent or minimize any consequent harm With respect to the August 2011 APT our investigation determined that on security officials did not comply with Circular 1360 12 June 2003 m heporting Computer Security incidents Specifically notification was not made to untii21'da ys after the discovery of theincident rather than-whenit Was identified as required in the circular in addition when CSliiT vvas notified the incident was reported-as a general virus incident Also informed that no further information ab out the incident would be provided unti indent was resolved He emailed instructions to as follows Can you please open up a new Virus incident for me - i ii be the point of contactfor this incident dust label the incident as a general virus incident called i nocl Knock This incident will be handled directly by me eForenslc review and follow up The incident MUST remain open until youreceive an email from me to close i will not be able to provide you-any further info Note Please report this insidantto - Further Di l management did not follow Circular'13603 Protecting Sensitive information April 2007 and Procedures for Responding to Breach of Sensitive information February 2031 and updated in September 2012 after it was determined thatpotentially sensitive information and Pil was iikeiy accessed andiexfiltreted from the netWUi k The decision notto follow the circular and related provisions vv as croniel because the event met the suspected computer security incident criteria and Pli Was involved as evidenced by the fact that at learit one server known to contain Pil had been Because these policies ware not followed and sensitiveinformation Pi procedures were not invoked neither an nor a PIRT was formed Our investigation also revealed that as of the date of his interview in April 2013 the Wide Privacy Program Manager who is a key member of a Was Unaware of any ongoing high iavoi introslon at the 4 had the name of the server in August 2011 but 1 id not notify the affected office until April 1 2013 8 - Con dential Investigatire Material For Of cialUse duly 1 in interviews Mr Pittman an tated they'did not believe that a PIN was necessary for this computer security incident Mr Pittman stated that he was not aware it a had been formed for the computer security incident nor was he aWai e it was his responsibility to report Pil loss or create a Mr Pittman also stated it did not occur to him to create a became he could not prove who 1 was extracted from the FDIC and that are expensive time- consuming tasks i tated that did not form a PM because there was no evidence of any Pli heingex ltrated According to because did no t knowwhat data was lost there was no Way to rectifythe situation a United States Computer Emergency Readiness Team Among responsihliities is to notifythe Department of Homeland Security's US CERT within one hour of a computer incident US CERT leads efforts to improve the nation s cyber-seourity posture coordinate cyher information sharing and proactively manage cyher risksto the Nation while protecting the constitutional rights of Americans Through its 24x7 operations center US CERT accepts triages and collaboratively responds to incidents provides technical assistance to information system operators and disseminates timelynoti cations regarding current and potential security threats and vulnerabilities - US CERT de nes a computer incident as follows computer Incident within the Federal Government as defined by the National institute of Standards and Technology Special Publication is a violation or imminent threat of Violation of computer security policies acceptable use policies or standard computer security practices Attempts either failed or successful to gain unauthorized access to a system or its Federal incident Reporting Guidelines which are posted on US Web site state that a Agency incident reports should includes description of the incident and as much information as possible abbot such things as the incidents date and time source operating system system function method used to identify the incident resolution etc is incident reporting should not be delayed to gain additional information it it is not always feasible to gather all of the information prior to reporting Accordingly incident response teams should continue to report information ash is collected a Category 3 Malicious Code incidents should he reported daily but within 1 hour of discovery detach on if they are widespread across the agency a category 1 Unauthorized Access incidents should be reported within hour of discouery detection in this category an individual gains logical or physical access without permission to avfederal agency network system application data or other resource Theindhliduals responsibleior the filing of an incident ticketwith CSIRT and subsequent US CERT notifications all had different recollections in an interview ted thathe did not 9 Con dential Inresdgative Materials For Of cial Use Only Enclosure 13 Enclosure remember whether or not he toid Roderick Toms Assistant Director to tail the CSIRT staffto not create additional CSiRTtickets in his interview Mr Toms stated that on Angust 31 2011 enior lT Specialist had opened up the sheli'tickei celled knock knock in CSIRT to ape incident and also reported the incident to US Mr Toms stated that US CERT was not notified within an hour of the incident as required by poiicyancl no further updating or reporting-was made to US CERT Mr Toms stated that the C31 shell ticket which means it did-not contain much information about the incident and instructed him at to create stated that he created the shell ticket named knock knock only to arotect has in any case a snail ticket was created and the event Was reported to US CERT on August 31 2011 as a Category-3 Eyent Virus The entire report said is writingto reportthat an FDIC machine is potentieiiy virus-infected The machine is in the process of being analyzed The sheii ticket was Untimely 21 days after the meeting with the FBI At that time and as evidenced by DiT s reference'to a meiwa reinfection that was extremelyprofessional and milmrafted Diif knew itWas dealing with an APT and that 78 machines-- rather than 'one machinamwere inVOived As noted earlier 12 of the 78 compromised machines were those of senior roost executives With the available information at that time the ling should have each a more serious Category 1 unauthorized access incident management provided the me no morons reasons for DiT s Using a sh eil ticket including need to know concerns and a lack of confidence in the con dentiality of the FDIC CSIRT incident database with respect to'the' A337 Although the originai shell ticket wasjreported to CERT the ticket was not updated as required by US CERT until May 16 20 13 whenthe bronght the matter to management s attention and advised on to do so in an interview Mr Pittman stated that had told him Mr Pittma n that all and US CERT noti cations were being done correct an a timely manner iVir Pittman stated that he was unaware that the appropriate notifications were not beingycompieted as required however hejstated it is not part of his job description to get inv oived with 65131 notifications interconnection Security Agreements currently has 17 Interconnection Security Agreements lSAs or Memorandums of Agreement with other federal-financial regdiators agencies major financ t and private sector service nroviders Most of these agreements ware signed by as the Others Were signed by Mi Pittman or the former Clo iSAs go ationships between the and other organizationsthat interconnect IT systems with partner systems for the purpose of sharing information Although the exact ianguagevaries all of these agreements have clauses requiring notification to the other party when a sec'unty incident - is discovered As an example the incident noti cation language in onesuch agreement states Security incidents Technical staff will as soon as commercially reasonable or within 48 hours notify their designated counterparts by teiephone oremaii when a security incidentis is detected so the other party may take steps to determine 10 Confidential Investigative Material For O icial Use inky 1 4 Enclosure whether its system has been compromised and'to take appropriate seturity precautions The system Owner will receive format noti cation in writing within five 5 business days after detection of the incidentisi During a recent briefing Mr Pittman and were asked about the islets and theyoould not recall the number oilses who Signed them or any notification requirements Dl'l has never made a noti cation to any 15A partner regarding the MT ns after the breach it was responsibility to make tated there has notinte'ntion notto condo an ace lg En their part Mr Pittman stated that it we noti cations Mr Pittman also stated that the EA pellet the process of Working with the Legal Division on the issue Disclosure to the GAO and 016 Auditors During the March 26 2013 meeting with executhle and 016 auditors were told of the incident He said that is i 0 5 au as performing the 2012 2011 audits of the financial statements had been briefed on the APT However we learned that 011 officials did not disclose the activities or existence of the Alli to GAO auditors responsible for conducting the 2012 2011 and 2011 2010 audits of the financial statements of the As part of these audits GAO assesses the attentiveness of the information securitycontrols overkey financial systems data and networks Accordingly understanding the potential risk of the APT re'latiVe to the integrity of the nancial statements Was relevant to audit work Shortly-after the March 26 2013 meeting the ore spoke with the GAO auditors involvedin the financial'statement audit work who informed the 016 that they had not heard about the incident until-the brought it to their attention We intervleWed an Assistant Director from Information Technology team who confirmed that he and his team wore unaware of the compromised systems at the until March 26 2013 when Mark Mu ll Assistant inspector General for Audits called hint The GAO representative 5 brief otldine conversation with a inniorstaii mendiner but there was no formal noti cation The GAO representative stated he was not sure if there is an obligation to inform GAO but GAO would have preferred to know GAO subsequently requested information about the compromises and the systems affected to see if the nancial statement audit Would be impacted - We learned that GAO undertooka month-long independent review of the matter to determine what impact if any the orients would have on the rendering otthelriinanclal statement audit opinion The review included detailed requests for information and documentation interviews and brie ngs GAO concluded there was not an impact on the nancial statement audit opinion or on the internal controls over financial reporting However at the FEM Audit Committee meeting on May 23 2013 GAO representativas expressed ongoing concern about internal controls indicating that the incident raised questions about policies and procedures tone at the top and communications with auditors and that management representations need to present the foil picture 11 Con dential Investigatiro Material For Official Use Only 1 Further Di of cials did not disclose the the 01G auditors responsible for conductingthe 2011 or 2012 information security program evaluations required by FISMA requires each federal agency to categoriie their information assets in accordance with standards established by the National institute of Standards and Technology The security categories are based on the potential impact on an organization should certain events occur thatjeopardize the information systems the organization needs to accomplish its assigned mission protect its assets fulfiil its legal responsibilities maintain its dayntoday functions and protect individuals The Act also requires each agency to develop document and implement an agency wlde program to provide information security for the information and information systems thatsopport the operations and assets of the agency includingthose provided or managed by another agency contractor or other source The OiG s annual evaluations included an assessment of among other things the effectiveness of the Fch s information security risk management program and incident response and reporting capability As such the AW was directly related to the scope of the evaluations With respect to the 2012 FISMA evaluation during the period April 2012 through September 2012 the 018 auditors participated in statesmeetings held 37 scheduledmee dngs and briefings and eschanged numerous emails and phone calls with 011 security staff and managers to discuss security risks program controls and practices at the FDIC The auditors also made 267 requests for information during the evaluation Further between February 2012 and March 2012 the auditors partidpated in 2 meetings and made 13 requests forint'orrnation related to the network perimeter security during asurvey of the Boundary Controls supported the 201 2 FISMA evaluation One of these requests which was directed to in March 2012- asked for a'description of the sources targeted devices goals -and p damage associated with the three most prevalent types of network attacks seen in the prior 6 months Each ofthemeetings briefings and information requests described above presented an opportunity to diaciose the ongoing compromises related to the APT While officials did not indicate that an AM was occurring at the the ClS O made references in various communiCations with the auditors during 2012 to general concerns he had about varietis iT security th teats such as nonaAPTs APTs top internet a busers email spoofers claiming to represent the FDIC country taco alware etc We would note that at the March 26 2013 meeting with Old Executives tated that he had verbaily informed Mr Mulholland of the computer sect rty after an audit eeti at some time in the past Mr ulhoiland said he was not aware of the event and that totement Was inaccurate In addition the ClO s 2012 report which was transmitted to the OMB Director the Comptroiler General of the United States -and various Congressional parties in November 2012 - contalned the following question and response - location Provide the percentage of incidents that have been detected and attributed to successful phishing'attacks Please provide a Comment to describe any innovative and effective ways your organization has found-to address these attacks Response Comment Agency has experienced no successful phishing attacks during the reporting period Agency trees a 3rd party Phishrnecom to create and 12 Con dential Investigative Material For Official Use Only Enclosure 16 Enclosure deliver fake pinching messages to the user community to educate them on the dangers of phishing The answerto the question is incorrect detected numerous security incidents during 201 and 2012 that were attributed to one or more successful attacks which were thesource of the APT in later interviews that the DIS con'docted Mr Pittman and i ated that they had no intention of notinforrning the FDIC Di 0 nts Mr Pittman stated that he did not inform the 016 and that it Was a blind spot ferred to it as an oversight Mt Pittman stated that it did not occur to him thatt a not know about the Incident and that he or the Chairman s Office would haua informed the 016 The OIG is planning a number of actions to address the fact that We ware not made aware Of the 7 nature cope and risk of the APT and the entirety erections being planned or taken to remediate it as we conducted our 2013 and 2012 FISMA work These actions consistent With Government Auditing Standards involve 1 advising the Chairman that we did not here sufficient appropriate evidence on which to base certain findings and conclusions in our 2011 and 2012 FISMA audit reports 2 performing expanded audit procedures in certain areas of the information security program as part of the 2013 FISMA audit particularly as it reietes tothe roles responsibilities petioles and procedures for resolving and reporting computer security incidents and 3 notifying internal and external users of the report that those prior reports may not be reliable 13 Con dential invos gative Material 4 For Gfticiei Use I 1 7 Enclosure 1 Evidence of compromise Over 90 Workstations or servers ware veri ed as compromised s Workstationsincludlhg former Chairman Deputy Director Director 01A former Chief of Staff former General Counsel Chief Financial Of cer Chief Economist Associate Director Division of insurance and Research Senior Advisor Depufcy Director Division of Risk Management Shpervislon Senior Counsel Legal Division formeir Depoty to the Chairman a E copyiPrihter Scanner n Mala-purpose scanner copier printing devicewlth a a operating system hackers for multiple reasons including computer attached Commonly targeted in operating system vulnerabilities from delayed patching due to proprietary software access to all prin ulco'piecl documents good place to hide and wait to capture administrative credentials 4 BIG Resource Sewer Server includes the personal network drives of DIG personnel and contains significaniramount of Sensitive information Personally identi able information 1311 and Personal Healthcare information Enchange Servers 3 Email Servers that process and store email a amass 1 Remote access to applications and services not installeci on' the ioeal machine Remote Access'Sewei's Authen'ticates users ahdvfacilltates access to network and applicatith including a Safeworcl Token Servers Processes 14 Con dential irms gaiivo Material For Of cial Use Only 1 8 9 Domain Controiier Serve 4 A domain controlfer is the centerpiece of the authenticates users stores user account'information for a Windows domain Accounts 15 service It an en orces security policy these accounts have Con dential investigative Material For Qf cial Use Only Enclosure 19 2 3 4 Enclosure Atteohment 2 Documents Related to Computer Security incidents Circular 1860 12 Reporting Computer Security Incidents June 2003 Circular 1360 9 Protecting Sensitive Information April 2007 Procedures for Responding to Breach of Sensitima information Februery 2011 and updated tn September 2012 Proeedures for Responding to Breach of PM September 2008 and updated In March 2013 Computer Security Incident Response Team CERT Guide November 2011 16 Confidential Invostige ve Material -- For Of ciat Use Oniy 20 Federal Deposit Insurance Corporation 3501Falrfax Drive Arlington VA 22226 Of ce of audits and Evaluations Of ce of inspector General DATE January 15 2016 MEMORANDUM TO Lameuoe Gross Jr Chief Information Office FROM Mark F Mulhollaud Assistant Inspector General for Audits SUBJECT The FDIC s Efforts to Address Recommendations Made by the OIG Pertaining to Credentialing and Mulufactor Authentication Assignment No 2016 022 In September 2015 the FDIC O ioe of Inspector General 01G teased an audit report entitled The FDIC 5 Identity Credential and access Man ogemem 10AM Program Report - Number referred to herein as the ICAM audit report The report contained recommendations addressed to the Director Division of Administration to coordinate with the then Acting Chief Infomatiou Officer 310 and the Director Division of Infotmation TechnOIOgy to prepare a business case that de nes the goals and approach for implementing the 10AM program and 2 establish appropriate governance measru es over the 10AM pro gram During the presentation ofthe ICAM audit report to the FDIC Audit Committee on November l 8 2015 the Vice Chairman expressed concern regarding the issues and risks identi ed during the audit and the actions to address those issues and risks The Vice Chairman requested that the 01G conduct additional audit work in this area timing the rst quarter of 2016 and report basic to the Audit Committee The putjpose of this memorandum is to advise you that we are initiating the subject audit The obj active will be to assess the plans and actions to address the recommendations contained in the ICAM audit report As part of the audit we plan to periodically report to management and the Audit Committee on the progress iolative to goals and expectations and Signi cant issues and risks that need to be addressed We will contest the internal control liaison Within the C10 Organization to schedule an entrance conference during which time we will discuss our plans for conducting the audit We welcome management s views in re ning our audit objective scope and methodology Joseph E Nelson will serve as the Audit Manager and Thomas F Ritz will serve as the Team Lead If you have any suggestions or questions regarding this audit please contact me at 703 562 6316 or Joseph B Nelson at 703 5626314 co Martin D Homing BO Rack D Campbell BIT Daniel H Bendier DOA James H Angel In DOF Enclosure Enclosure Federal Deposit ln'sorance Corporation omoe ofAud s and Evaluauons 3501 Fairfax Drive VA 22226 A Of ce of inspector Genera DATE February 11 2016 MMORANDUM TO Arthur I Minion Dire ctor Of ce of Complex Financial Institution Lame ch Gross 3r Chiof InfOrma on Of cer FROM Mark Mulholl and I As sistant Inspector General for Audits SUBJECT Audit of the FDIC 3 Controlo' ir Mitigating the Risk of an Unauthorized Release of Sensitive Resolution Plans _ Assignment No 2016-018 The purp 033 of this memorandum is to advise you that We have completed the planning phase ofthc oubj cot audit and am proceeding with detailed eld work The audit objectives are to detenninc the factors that contributed to a security moidont involving sensitive resolution plans and aSSoss the adequacy of mitigating controls established subsequent to the incident The Benoit-We resolution plans involved intiic incident were nancial companies pursuant to section 16501 of the Dodd Frank Wall Street Bofonn and Consumer Protection Act The majority of eld work will be porfonned at the Virginia Square offices in Arlington Virginia and headquarters of ces in Washington DC Additional sites to bo visited may be identi ed timing the audit We wiil coordinate our work with the Internal Control Liaisons ICL fortho Of ce of Complex Financial motitutions Chief Information Of cer Organization and Division of Biformation Technology We will contact the in the near itoro to schedule an entrance whoroin We will discuss our piano for conducting the audit eld work Ifyou have any questions or concelns regarding this audit prior to the entrance conference please contact me at 703 5626316 or Joe Nelson Audit Manager at 703 562-6314 co Titus 8 Simmons OCFI Rack D Campboli 0100 Stephen M Hams Legal Division Jatnos H Angel In Federal Deposit insurance Corporation 3561 Fairfax Drive Arlington VA 22226 Oi ce oi Audits and Evaluations Of ce oflospacior Godard DATE February 19 2016 MEMORANDUM TO Lawrence Gross Jr Chief Infomation Of cer FROM $64 As sistaut Inspector General for Audits SUBJECT Inform ation Security Incide t Warrant ng Congressional Reporting The purpose of this memorandum is to alert you to an instance of apparent non-compliance with the Federal Biformation Security Modernization Act of 2014 and related guidance issued by the Office of Management and Budget As part of our planning work for Assignment No 2616-023 The FDIC s Processfor Idanti dng and Reporiing of Major Security Incidents we reviewed the facts and circumstances pertaining to FDIC Security Incident Number 87 referred to herein as the incident including Whether the incident meets the criteria for being designated as major FISMA and OMB Memorandum require federal agencies including the FDIC to report security incidents designated as major to the Congress Within 7 days of the agency having a reasonable basis to conclude that a major incident has matured Our analysis indicates that reasonable grounds existed to designate the incident as major as of December 2 2015 and as such the incident should have been reported to the Congress not later than December 9 2015 2 In our View the incident should now be reported immediately A summary of our analysis and conclusions follows - - Agency Requirement to Report Major Security Incidents FISMA requires federal agencies to establish procedures for detecting reporting and rccponding to security incidents Such procedures are intended to minimize loss and destruction when security incidents occur Among other requirements FISMA states that agency incident response pro cedurcs must in lads notifying and consulting wiih as appropriate various Congressional committees for security incidents determined to lie major According to the statute Congressional noti cation is to occur not iater than 7 days after the date on which there is a reasonable basis to conclude that a major security incident has occurred FISMA also requires that the agency s annual secm'ity reports include a description of each major Security incident including the number of individuals affected if a'breacii of personally identi able OMB Memorandum Mv16 03 Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Monogemem Requirements dated October 30 2015 referred to herein as OMB Memorandum Mad-03 i As discussed on page of this memorandum it is possible thatthe incident could have been designated as major as early as November 6 2015 7 days after OMB issued Memorandum given the nature ofthc information humbled - Privileged Informatioaw or Of cial Usa Only Enclosure 1c 03 infonnation P11 is involved FISMA states that agencies should notify affected individuals as expeditiously as practical and without umeasonable delay In accordance with FISMA 0MB must de ne what constinttes a major security incident Accordingly OMB issued its Memorandum that describes the factors that must be considered when determining whether a security incident should be designated as major The memorandum notes that although agencies may consult with the Department of Homeland Security s United States Computer Emergency Readiness Team U when detemiining whether an incident should be considered niajor it is ultimately the responsibility of the victim agency to make the detennination The FDIC Legal Division has opined that OMB Memorandum 6-03 is generally applicable to the Corporation Key Facts and Activities Related to an Incident On October 23 2015 the Information Security and Privacy Sta r ISPS the Data Loss Ptevention program noti ed the Comptner Security Incident Response Team CSIRT of a suspected computer security incident Speci cally ISPS informed CSIRT that's former Bank Secrecy Act BSA specialist within the Division of Risk Management Snperyision RMS Gainesville Florida eld of ce appeared to have copied a large quantity of sensitiVe information he more than 1 200 documents including Social Security numbers SSNs from customer hank data'and other sensitive FDIC'informatlon onto a single USB drive to a portable storage device According to the Computer Security Incident Re - re - aredb 7 that same day the sensitive information appeared to include Bank Cuirency Transaction Reports BSA Customer Data sports on a a1 work and tax tiles The report indicated that the employee had downloaded the infomation on September 16 and 17 2015 andOctoher 15 2015 rlor to her depenture 3 It was not 1man at the tithe of the incident Whether the USB drive was The incident was also reported to the I rivacy Program Of ce on the same day the incident was identi ed October 23 2015 On November 3 2015 ISPS determined that the USB drive was a device FDIC policy prohibits employees from storing sensitive information on equipment The a Data Breach Management Team DBMT investigated the hicident and recommended in aNovemher 25 2015 incident summary report that the Chief information Of ce 010 classify the incident as a breach In making the recomendation the DBMT considered information contained in a detailed Incident Idsk'Analysis IRA that included among enter things a desoription of the same type and volume of sensitive information as referenced in the Computer Security Incident Report The DBMT also indicated that additional work was needed to determine the impact level of the breach On December 2 2015 FDIC staff dotern ned that at least 10 000 unique SSNs Were involved in the breach On the same day the FDIC sent the former employee s attorney a letter that the-USE drive he returned to the FDIC not later than December 8 2015 - 3 The employee left the employment on Octobe' 15 2015 2 Privileged Information For Of cial Use only Enclosure On December 7 2015 the C10 concurred with the to classify the incident as a breach The 010 alSo made a determination on behalf of the FDIC that the incident was not matter The 010 s determination was noted in a December 7 2015 DBMT Sunnriary Report which stated Based on the recommendation of the DBMT and the supporting chronology the Chief Information Of cer concurs with the recommendation of the DBMT However after careful review of the Of ce of Management and Budget Memorandum 16433 dated October 30 2015 does not recommend classification of the incident as a major incident The 310 informed us that he discussed his recommendation that the incident was not major in a meeting with the Deputy to the Chairman and Chief Operating Of cer Chief of Staff the Deputy General Counsel and a representatiVe of the Of ce of Legislative Affairs The meeting was held on or about December 7 2015 The CIO stated that the participants in the meeting expressed no concern with the proposed recommendation The 010 informed as that his recomrnendation was based on among other things infonnation that was available on the incident the Novomber 25 2015 recommendation applicable information security guidance and various mitigating factors such as the employee was not disgruntled when she left the a belief that the employee accidentally dovmloaded the information when attempting to download personal information because the employee was not familiar with information technology 0 the employee was working through significant personal issuos including a divorce and not living at her residence presenting a distraction for the employee and the FDIC ultimater recovered the USB drive from the employee The FDIC recovered the USB drive on December 8 2015 following extensive discussions with the employee and her attorney As of the date of this memorandum ISPS wore continuing to investigate the incident by reviewing the downloaded information for purposes of identifying individuals whose I ll was exposed tln'ough the breach The 010 informed us that a decision had not yet been made w'th respect to whether the FDIC will provide notification and or credit monitoring to the affected individuals 4 The FDIC had not updated its policies and procedures to address major security incidents at the time this decision was made However the CIO informed as that only the FDIC Chairman could designate a security incident as major based on a from the CIO and in consultation with the Legal Division The 010 also advised as that since no determined that the incident Was not major this determination was not forwarded to the Chairman for review or approval - 5 Although not required we noted that a written legal analysis supporting the determination had not been prepared In addition the 010 told as FDIC had not consulted with the OMB or in making its determination that the incident was not major I 3 Privileged Information For Of cial Use Only Enclosure Enclosure OIG Analysis According to OMB Mernorandcm M4603 a major incident will be characterized by a combination ofthe following factors 1 Involvos information that is Classi ed Controlled Unclassified Infotmation GUI proprietary GUI P vaoy or CUI Other and 2 Is not i'ecoVet-cble not recoverable within a speci ed amount of time or is recoverable only with supplemental resources and 3 Has a high or medium functional impact to the mission of an agency or 4 Involves the ex ltration modification deletion or unauthorized access or lack of availability to information or systems Within certain parameters to include either a A Speci c threshold of number of records or users effected 6 or b Any record of special importanch Based on our analysis We determinedthet the incident satis es three of the above referenced factors as demonstrated indictable below On October 23 2015 the Data Loss Poevention programidenti ed that potentially 1 200 documents that inciude SSNs and bank data was copied to a Memorandum M0746 USB drive by a then decanted employee An FDIC Safeguarding Against and IRA completed on or about Noyember 25 2015 Responding to the Breach of identi ed that the incident included more than 1 200 Personally Identi able documents snd'zip les including SENS In addition i Mammalian dated May 22 the analysis noted that files contained customer 2007 or means of bank data with 831% Bank Cincenoy identi cation as de ned in 18 Transaction Repotts and a small subset of the data USC 1028 contained personal work and tax les of the former employee Fotther on December 2 2015 the FDIC confinned that at least 10 000 unique SSNS were included inthe employee s download The cc 1 out real information or in some cases PH as defined in OMB Privacy i 5 OMB Memorandum Mni 6-03 de nes these tln esholds to be 10 000 or more records or 13 000 or more users affected 7 0MB Mum-03 de nes a record of impatience as any record that if ex ltl atcd modi ed deleted or otherwise compromised is likely to result in a sigt caot or demonstrable impact onto agency mission public health or safety national security economic security foreign relations civil 1ibca tiec or public con dence - A collection of records of special importance in the aggregate could be considered an agency High Value Asset 4 Privileged Infomwtionv uFor Of cial Use Only O Recovery item the incident is notpossible sensitive data ex iimted'and posted publicly If this information was ex ltrated changed deleted or otherwise compromised then the incidentis considered major if either 10 000 or more records Recorerable and demonstra impact to public con dence if disclosed It also included more than 10 000 SENS downloaded to a personal and none passwm d protected USB drive that was removed from the gar-endorse without for a period _of almost 2 months October 16 2015 through December 2015 It is notpossihle for the Enclosure authorization or in excess of authorized access information 'om a system without modifying or deleting it or records of special FDIC to determine whether the mformation was hnportance were affected compromised prior to USB 1er6 on December 8 2015 Bx ltration To obtain without The access became unauthorized when the employee departed from the FDIC The information was taken via an unauthorized device off ofthe premises We also determined that the incident should have been repeated to the Congress not later than December 9 days a er it was determined that more than 10 900 unique 88le were involved in the breach EB At that time the FDIC had a reasonable basis to conclude that the factors in OMB Memorandum wore met to designate the incident as major Moreover it is possible that the incident could have been designated as major as early as November 6 2015 7 days after 0MB issued its Memorandum as the ex ltration involved records that had special importance 9 Fuathcr we found that the FDIC had not documented the underlying analysis of how the factors in OMB Memorandum 6 03 were applied in that the incident was not major Source 016 analysis of the application effectors In OMB Memorandum Mum-03 to the subject incident i The 310 informed as that during his meeting with the Deputy to the Chairman and Chief Operating Of cer Chief of Staff and of cials in the Legal Division and Office of Legislative Affairs the factors in the OMB memorandum were speci cally considered and weighted against the aforementioned mitigating factors In addition according to the 310 the incident was considered in the context of other FDIC incidents none of which were determined by tho FDIC 3 We independently veri ed that at least 10 000 unique SSNs were included in the breach We also noted that the 881% are often associated with other P11 such as bank names and addresses In addition the information We reviewed included Department of Treasury s Financial Crimes Enforcement Network suspect lists copies of drlvers licenses passports tax returns State ofFlorida reports of eitamination enforcement actions banlcs Wire logs and gl ccu cards 9 The information downloaded by the employee lnclud ed unauthorized person is a violation of federal law Such disc more could result to public con dence in the ability to protect personal information sine - incident risk analysis completed on or about November 25 2015 noted that the own coded information could he used to open new accounts or commit identity theit and could be asedto cause public reputational embarrassment Inappropriate disclosure of flood or jeopardize the mission of FDIC or cause other harm 5 Privileged htforiitatioit For Use Only a emonetrahlc impact often contain I ll The to be major having similar characteristics before concluding that the incident did not rise to the level of a mad or incident as de ned in OMB Memorandum Mu 603 The CID added that he was comfortable that the data had not been shared by the employee with other individuals and that the incident was similarly situated with other 1 ch incidents in tonne ofthe volume and nature of data involved The 010 also told the 01G that iers lane written record of the aforementioned meeting or other documonted analysis that describes how the incident was analyzed for purposes of determining Whether it was major Mitigating Factors As discussed-earlier the CIO articulated seVeral factors that in his View mitigate the potential risk or impact of the incident Such factors include for example the former employee not being disgruntled at the time of her departure and the belief that the was accidentally downloaded to the USB drive However OMB Memorandum 1603 do as not provide for the application of such factors in determining whether coincident is major As part of our review We spoke with OMB of cials to ensure we had a proper understanding of the criteria in the memorandum These officials informed as that it would be reaSonable for agencies to consider factors other than those listed in the memorandum in making a determination on reporting Hanover when provided hypothetical mitigating factors such as times the CIO referenced earlier they advised as that such factors would not be an appropriate basis for determining an incident is not major and does not require reporting to the Congress The of cials added that agencies should engage in proactive communication with the Congress while incident analysis is ongoing Aggravating Factors In addition to the mitigating factors that the CIO mentioned several aggravating factors-exist that may increase the risk associated with the incident Speci cally - The information was stored on a personal device in an foimat and wi icut password protection As a result the information was accessible to anyone with access to the device Further the information was outside of the control for almost 2 months and no technical means exists to obtain assurance that the information was not accessed by others it The employee s new employer is a nancial services rm owned by a parent company that is based in Bangalore India The employee was not forthright with the FDIC when attempts Were made to recover the information For example the employee repeatedly denied downloading the information and owning a portable storage device a In November 2015- the employee s former supervisor espressed concern about the content of the les downloaded by the employee and the fact that many of the les were 6 Of oad Use Dirty Enclosure downloaded on the employee s last day of employment which the supervisor believed may hare indicated suspicious activity a An employee who inappropriately copies information that lie she ows or should know to be highly sensitive at the end of his her employment and who is at the same time dealing with major personal issues ag a diverse living in a hotel room seeking employment presents a heightened secoitity risk pro le Conclusion Our analysis indicates that improvement is needed in the process for identifying and repoitiog major security incidents including the elapsed time between an initial incident and key decisions In this case 6 weeks elapsed between the initial reporting of the incident and a determination of whether a breach had occurred and whether it required repoxting Additional decisions regarding noti cation to hidivicluals and or organizations impacted remain outstanding almost 4 months after the incident became lmown Our most signi cant and immediate concern however is that the FDIC needs to immediately report what we have concluded is a major incident to the appropriate Congressional committees Doing so would be consistent with relevant statutory and policy requirements and serve to mitigate the risk of a negative nancial impact on the organizations and individuals potentially affected by the breach As described earlier the information involved in the incident includes a large volume of highlyeensitlve P11 which increases the risk of identity theft and consumer ned for the affected individuals inthis regard the FDIC should also place p ority attention on making a decision with respect to Whether affected individuals and or organizations will be noti ed including whether such noti cation should be made incrementally as investigative activities continue We request that you provide us a written response to this memorandtso that indicates whether you will report this incident to the Congress and that describes other planned actions to address the matter as soon as possible bot not later than Wednesday February 24 2016 If you have any questions or concerns regarding this memorandum please contact me at 703 562-6316 or Laura A Benton Audit Manager at 703 56245320 We appreciate your prompt attention to this matter cc Rack D Campbell BIT Martin D Honohtg E0 Christopher J Fairow CISO James H Angel Jr DOF 7 Privileged InformationwFor amass Use Only Enclosure