We often report on data breaches by big federal agencies such as the IRS and the Office of Personnel Management (OPM), but smaller agencies are no less vulnerable to data breaches. Case in point: the Federal Deposit Insurance Corporation (FDIC).
Apparently, a former FDIC employee who left in late February, was transferring files onto a personal storage device and “inadvertently” transferred the personal information of 44,000 customers onto the device. The agency realized what happened three days later. The FDIC’s chief information and privacy officer disclosed this breach to senior leadership in a memo and noted that based upon their investigation no sensitive information had been disseminated or compromised.
The former employee had access to information that would be needed to reconcile bank issues and the information taken likely names, addresses, and social security numbers. He or she returned the device days later and, as far as the FDIC knows, none of that information was used inappropriately. Even taking the employee’s word for it, we have to wonder how that employee could walk away with what should have been secure customer data without even knowing it? So does the Washington Post:
FDIC document does not indicate what information was taken, but does say the former employee had legitimate access to it “for bank resolution and receivership purposes.”
In a letter sent Friday to FDIC, Rep. Lamar Smith, chairman of the House Science, Space and Technology Committee, asked Gruenberg for details about the breach and “all major security breaches involving FDIC information” since 2009. Congress was notified because FDIC considered the breach to be a “major” incident under the Federal Information Security Modernization Act of 2014.
Calling the breach “troubling,” Smith said “the potential for a breach is especially heightened when sensitive information for over 44,000 individuals is stored without proper security measures.”
Barbara Hagenbaugh, a FDIC spokeswoman, said the agency has eliminated the use of portable storage devices for most employees and plans to do that for others. The former employee signed an affidavit indicating the breached information was not used in anyway, according to Hagenbaugh.
Federal agencies like FDIC collect a lot of private information on citizens. They are rich targets for hackers and thieves, which means they need to be as vigilant – if not more – than retailers, hospitals, and other private sector companies that collect, process, or sit on vast amounts of private information that can be used to steal identities.
This comes at a time when the Obama Administration claims to be making cyber security a priority by announcing a $3.1 billion plan to upgrade the government’s aging technology infrastructure. It aims to retire, replace, and modernize the federal government’s IT. Technology works only so far as the people, processes, and protocols governing them are also in place. New technology with passive perspectives, inept leadership, lax oversight, bad stewardship of resources, and a culture that just doesn't care won’t do anything to maintain the public trust. Organizations can be changed, but not with the replacement of cables and software.