House Panel Investigates FDIC BreachSensitive Information on 44,000 Individuals 'Inadvertently' Taken by Departing Employee
A House committee is seeking information about security breaches at the Federal Deposit Insurance Corp. in the wake of a former employee departing the agency with a mobile storage device containing sensitive data on more than 44,000 individuals.
See Also: The Global State of Online Digital Trust
Rep. Lamar Smith, the Texas Republican who chairs the House Science, Space and Technology Committee, characterizes the breach as "troubling" in an April 8 letter he wrote to FDIC Chairman Martin Gruenberg. "Sensitive information that is housed for any length of time without proper measures in place to mitigate cybersecurity risks is susceptible to a breach," Smith wrote. "Even more troubling, the potential for a breach is especially heightened when sensitive information for over 44,000 individuals is stored without proper security measures."
Smith confirms an FDIC worker in the process of leaving a job at the agency copied personal information of 44,000 individuals onto a personal portable storage device.
According to a memo from Gruenberg obtained by the Washington Post, which first reported the breach, the employee left the FDIC on Feb. 26, taking the storage device from the premises "inadvertently and without malicious intent." Using technology to track downloads to removable devices, the FDIC detected the breach on Feb. 29 and the employee returned the device the next day.
FDIC Eliminating Portable Storage Device Use
FDIC spokeswoman Barbara Hagenbaugh told the Post the agency has eliminated the use of portable storage devices for most employees and plans to do that for others. The former employee signed an affidavit indicating the breached information was not used in any way, Hagenbaugh told the newspaper. The affected data included names, addresses and Social Security numbers. The trade publication American Banker reports the exposed customer information came from closed banks.
Smith says the committee wants to ensure that the FDIC is taking appropriate action to mitigate the risks posed by the incident as well as other cybersecurity risks. The committee seeks documentation regarding the incident as well as detailed descriptions of all major security breaches involving FDIC information since Jan. 1, 2009.
Smith's committee is investigating the breach because it has jurisdiction over the National Institute of Standards and Technology, which develops cybersecurity standards for government agencies.