FHFA is highly vulnerable to hacking threats: OIG

The Federal Agency for Housing Financing (FHFA) The Office of the Inspector General (OIG) has warned the agency that it has serious network security deficiencies that make its computer systems vulnerable to hacking, based on “penetration testing” the OIG has conducted. This is according to a report issued by the FHFA OIG itself.

The tests revealed “serious vulnerabilities” that increase the likelihood of successful hacking attempts by malicious actors, and the 38-page report details some of the cases in which the tests successfully breached FHFA computer security systems.

“In one case, we gained access to a privileged user account that allowed us to view, edit, or save files to the local drives of the laptop or desktop of any user, including top-level FHFA managers,” the report said. “We were also able to convert a standard user account into a domain administrator and take full control of the FHFA network. We had essentially unfettered access to the agency’s information technology (IT) infrastructure.”

The report characterizes the security deficiencies as seriously serious due to the sensitive nature of FHFA computer data.

“FHFA’s network and systems host a variety of data and information, such as financial reports and data from Fannie Mae And Freddie Mac, Collaborative Securitization Solutions, LLCthe Federal home loan banksand the Bureau of Financeas well as the personally identifiable information of FHFA employees,” the report details. “As such, it is important that the configurations and controls in place are effective to prevent unauthorized access to systems and information.”

But the extent to which the testers were able to infiltrate the agency’s computer systems shows that the identified security issues require immediate attention, the report said.

“The breadth, depth and potential impact of the network security deficiencies are serious matters requiring immediate corrective action by FHFA management,” the report said. “Accordingly, we report eight findings related to the identified audit deficiencies.”

Some of the possible outcomes could include compromising “the confidentiality, integrity and availability of FHFA’s sensitive information,” including obtaining personally identifiable information, extracting, deleting or altering sensitive agency data, discovering credentials, including usernames and passwords. as compromises of systems that could hinder FHFA’s ability to accomplish its mission.

At the end of the report, FHFA management responded to each of the individualized findings and proposed corrective actions it planned to take. The OIG has considered all planned corrective actions to meet the intent of its recommendations.

“Overall, we believe that FHFA management is responsive to the recommendations in this report,” the OIG said. “These recommendations remain open until we confirm that corrective actions have been fully implemented. FHFA’s written response, in its entirety […].”

Luis Campudoni, FHFA’s chief information officer, detailed the agency’s response to the report.

“I have directed the Office of Technology and Information Management (OTIM) to develop and implement a comprehensive plan to address the recommendations,” Campudoni wrote to the OIG. “I am committed to addressing the underlying findings of the report, and OTIM has already initiated several remedial actions to address the recommendations.”