The Federal Deposit Insurance Corp. detected and quickly moved to mitigate a breach of 44,000 banking customers’ information after an employee leaving the agency inadvertently downloaded the data to a personal device.
The employee downloaded the data to a removable media device Feb. 26 before leaving her post with the FDIC, which Congress created in 1933 after the Great Depression to promote financial stability and restore confidence in the banking system by insuring deposits made to banks. Within three days of the breach, an agency data loss prevention tool detected the download, FDIC spokeswoman Barbara Hagenbaugh told FedScoop. The employee returned the device with the downloaded data the following day.
The employee, who worked in FDIC’s “resolution and receivership group,” signed an affidavit affirming that she did not in any way use or share the information, which was compromised in some cases of the personal information — like peoples’ names, addresses and loan numbers — of customers of banks that had closed.
“The FDIC’s relationship with the employee has not been adversarial,” FDIC CIO Lawrence Gross Jr. wrote in a March 18 memo to FDIC Chairman Martin J. Gruenberg obtained by the Washington Post, which first reported the news. The memo said the former employee downloaded the data “inadvertently and without malicious intent.”
Data loss prevention tools are software or hardware packages designed to prevent — or at least record for future audit or review — potentially unauthorized downloads or exfiltration of data.
The FDIC followed the mandates in the Federal Information Security Management Act and reported the incident to Congress immediately “out of an abundance of caution and to be transparent with Congress,” Hagenbaugh told FedScoop.
Since February, the FDIC has also updated its policy to prohibit the usage of removable storage devices.
“The majority of employees no longer have access to it,” Hagenbaugh said. “And we’re phasing it out for the rest of the employees … entirely.”
Despite FDIC’s efforts to mitigate the risks in the aftermath of the breach, the House Committee on Science, Space, and Technology opened an investigation into the agency’s history of information security. Committee Chairman Lamar Smith, R-Texas, penned a letter Friday to agency Chairman Gruenberg requesting a briefing on the “troubling” breach to ensure FDIC is taking proper actions.
“As you know, sensitive information that is housed for any length of time without proper measures in place to mitigate cybersecurity risks is susceptible to a breach,” Smith wrote. “Even more troubling, the potential for a breach is especially heightened when sensitive information for over 44,000 individuals is stored without proper security measures.”
In the briefing, Smith wants the FDIC to detail all documents and communications concerning the breach, the information involved, and any security breaches since Jan. 1, 2009.
Hagenbaugh said the FDIC will work with the committee to fulfill its requests.