Did GAO Just Hand Hackers a Blueprint for Breaking into the FDIC?

By Pam Martens and Russ Martens: June 2, 2017

GAO LogoWhen it comes to demanding transparency in government, Wall Street On Parade typically takes the position that citizens have a constitutional right to their government’s records. We demand those records regularly at Federal agencies using the Freedom of Information Act and at state and local government agencies using the relevant sunshine laws. 

This past Wednesday was the first time that we can recall when we read a publicly released report from the Government Accountability Office (GAO), the nonpartisan watchdog for Congress, that made us queasy that the information should never have been released.

The report concerned the information technology systems of the Federal Deposit Insurance Corporation (FDIC). The GAO seemed to be handing potential cyber attackers a roadmap on how to exploit the FDIC’s many vulnerabilities.

Federal deposit insurance was first created under the Glass-Steagall Act (also known as the Banking Act of 1933) to provide Federally-backed insurance on bank deposits of participating institutions. Federal insurance at that time was desperately needed to shore up public confidence in the nation’s banks in the wake of thousands of bank failures resulting from the stock market collapse and ensuing Great Depression. Following the 2008 Wall Street crisis, FDIC insurance was beefed up and remains critically important to confidence in the U.S. banking system today.

The GAO report warned:

“Until FDIC takes the necessary steps to address both new and previously reported control deficiencies, its sensitive financial information and resources will remain at increased risk of inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction. The combination of the continuing and new information security control deficiencies in access and configuration management controls, considered collectively, represent a significant deficiency in FDIC’s internal control over financial reporting as of December 31, 2016.”

But the report then went well beyond vague generalities and got into specifics of what areas were at risk. We won’t repeat that information nor will we link to the report. We have contacted the GAO urging it to redact the vulnerable areas. (If the goal of the GAO is to publicly embarrass the FDIC into action, it can do that by issuing the report for a second time with the sensitive information appearing in blacked-out boxes.)

The GAO also published a separate related report with six recommendations on how to fix the FDIC deficiencies. That report was, admirably, restricted from access to the public.

Bookmark the permalink.

Comments are closed.