Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

House Panel Investigates FDIC Breach

Sensitive Information on 44,000 Individuals 'Inadvertently' Taken by Departing Employee
House Panel Investigates FDIC Breach
FDIC headquarters

A House committee is seeking information about security breaches at the Federal Deposit Insurance Corp. in the wake of a former employee departing the agency with a mobile storage device containing sensitive data on more than 44,000 individuals.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Rep. Lamar Smith, the Texas Republican who chairs the House Science, Space and Technology Committee, characterizes the breach as "troubling" in an April 8 letter he wrote to FDIC Chairman Martin Gruenberg. "Sensitive information that is housed for any length of time without proper measures in place to mitigate cybersecurity risks is susceptible to a breach," Smith wrote. "Even more troubling, the potential for a breach is especially heightened when sensitive information for over 44,000 individuals is stored without proper security measures."

Smith confirms an FDIC worker in the process of leaving a job at the agency copied personal information of 44,000 individuals onto a personal portable storage device.

According to a memo from Gruenberg obtained by the Washington Post, which first reported the breach, the employee left the FDIC on Feb. 26, taking the storage device from the premises "inadvertently and without malicious intent." Using technology to track downloads to removable devices, the FDIC detected the breach on Feb. 29 and the employee returned the device the next day.

FDIC Eliminating Portable Storage Device Use

FDIC spokeswoman Barbara Hagenbaugh told the Post the agency has eliminated the use of portable storage devices for most employees and plans to do that for others. The former employee signed an affidavit indicating the breached information was not used in any way, Hagenbaugh told the newspaper. The affected data included names, addresses and Social Security numbers. The trade publication American Banker reports the exposed customer information came from closed banks.

Smith says the committee wants to ensure that the FDIC is taking appropriate action to mitigate the risks posed by the incident as well as other cybersecurity risks. The committee seeks documentation regarding the incident as well as detailed descriptions of all major security breaches involving FDIC information since Jan. 1, 2009.

Smith's committee is investigating the breach because it has jurisdiction over the National Institute of Standards and Technology, which develops cybersecurity standards for government agencies.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.