WASHINGTON — As the Federal Deposit Insurance Corp. grapples with a series of newly revealed cybersecurity incidents, the U.S. government is prosecuting a former agency employee over a 2012 breach.
In April of that year, Howard P. Zitsman emailed an Excel file from his work to his personal account, the U.S. government has charged.
The document he sent himself — labeled "Securities Inventory 2012-04-18" — contained "confidential business information," according to court filings.
-
The event took place during the 2015 fiscal year, but was not separately disclosed to Congress until the agency's federally mandated annual report on information security. Even then, the FDIC provided only vague details on what happened.
May 12 -
Hackers believed to be working from China accessed the computer systems of top officials at the Federal Deposit Insurance Corp., according to a top House lawmaker investigating the incident.
May 12 -
A day before a top Federal Deposit Insurance Corp. official is set to testify about recent cybersecurity breaches, a leaked report shows the agency's troubles are more prevalent than previously known.
May 11
Zitsman, a former investment banker who was a senior capital markets specialist at the agency from 2010 until 2012, was charged last month in the in U.S. District Court in Northern Illinois with a misdemeanor for his alleged theft of government property.
As a contractor, he "was required to protect all data collected and generated while working for the FDIC, and was prohibited form removing sensitive information from the workplace without authorization," the two-page complaint stated.
Instead, he knowingly stole the data, which was "confidential and proprietary information belonging to the FDIC," the government alleged. A court hearing has been set for June 6. An attorney for Zitsman did not return calls seeking comment.
FDIC spokeswoman Barbara Hagenbaugh said the agency was not involved in the lawsuit, and had reported the incident to its inspector general when it learned about it.
The agency is under congressional inquiry into several recent incidents that involved former employees walking away with sensitive data — affecting 160,000 individuals in total — on a portable media device.
Eight such incidents have been already made public, including one case in which a departing employee stole the living wills of large banks.
In 2010, the FDIC was also hit by a cybersecurity attack — believed to have originated in China — that eventually hit the work station of then-FDIC Chairwoman Sheila Bair.
The FDIC has been accused by its inspector general and by lawmakers on the House Committee on Science, Space and Technology of failing to disclose the incidents fast enough to the proper authorities.
In a letter to the agency Thursday, the committee suggested that testimony from FDIC Chief Information Officer Lawrence Gross earlier this month was "intentionally misleading," and could expose him to "criminal liability."
The committee called into question the agency's characterization of one incident as an accident.
The case involved a departing employee who carried away large amounts of data, including 10,000 Social Security numbers, on a zip drive.
Though the employee had denied possessing a zip drive, or even knowing what a zip drive was, the agency held it was an accident.
"I don't believe she realized she took FDIC-specific data," Gross had told the panel, adding that she might have lied about possessing the documents because she suddenly found herself in an "awkward situation."
But, the committee found the employee in question had received a master's degree in information technology.
"Mr. Gross' claim that the employee in question was not computer proficient raises serious questions regarding whether his testimony was intentionally misleading," the letter said.
"Serious questions are raised when an FDIC employee holding a master's degree in technology denies even knowing about basic computer technology and Mr. Gross, the CIO, believes the story."
The committee also accused the FDIC of not fully responding to its document request. The agency's inspector general, the letter notes, provided 833 pages, whereas the CIO only turned over 88 pages.
"It appears that Mr. Gross only wanted to provide the committee with testimony that supported his narrative and was prepared to only discuss examples that were cherry picked from the OIG's document production," the letter states.
The committee demanded that the agency address these issues, as well as two other "discrepancies in Gross' testimony" by May 25.
Finally, the lawmakers said they would again seek direct testimony from FDIC Chairman Martin Gruenberg.
FDIC Inspector General Fred Gibson said during the hearing earlier this month that his office was pursuing a criminal investigation, but he later declined to comment further.
