The FDIC detected and quickly moved to mitigate a breach of 44,000 customer records after an employee leaving the agency inadvertently downloaded the data to a removable media device Feb. 26.
Within three days of the breach, an agency data loss prevention tool detected the download. The employee returned the device with the data the next day.
The employee, who worked in the FDIC's resolution and receivership group, signed an affidavit confirming she did not in any way use or share the information, which contained names, addresses and loan numbers of customers affected by bank closures.
“The FDIC's relationship with the employee has not been adversarial,” FDIC CIO Lawrence Gross Jr. wrote in a March 18 memo to FDIC Chairman Martin J. Gruenberg obtained by the Washington Post, which first reported the news. “The FDIC's investigation does not indicate that any sensitive information has been disseminated or compromised.”
The FDIC followed the mandates in the Federal Information Security Management Act and reported the incident to Congress right away. Since February, the FDIC updated its policy to prohibit removable storage device usage.
Despite the FDIC's efforts to mitigate the risks in the aftermath of the breach, the House Committee on Science, Space, and Technology opened an investigation into the agency's history of information security. Committee Chairman Lamar Smith (R-Texas) asked Gruenberg for details about the breach and all major security breaches involving FDIC information since 2009.
“As you know, sensitive information that is housed for any length of time without proper measures in place to mitigate cybersecurity risks is susceptible to a breach,” Smith wrote. “Even more troubling, the potential for a breach is especially heightened when sensitive information for over 44,000 individuals is stored without proper security measures.”
“The FDIC was lucky that the employee cooperated and returned the data. Not every company or government agency will fare so well,” Gord Boyce, CEO of San Jose, Calif.-based file security firm FinalCode, said.
Boyce added, with all of the layers of security available, organizations have no excuse when it comes to preventing data leakage of customer information or intellectual property.
“Securing sensitive information at the file level is the best way to define individual access permission and ensures that you can maintain control over your data everywhere it travels, inside or outside the organization,” he said.
The FDIC breach serves as a cautionary tale of the susceptibility of sensitive information no matter the intentions.
“Once unencrypted data is out there, it's out there. Organizations should foresee this occurring and apply file security and policies beforehand,” Boyce maintained.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
