FDIC Alerts Employees of Data Breach

By Jonathan Krim
Washington Post Staff Writer
Thursday, June 16, 2005

Thousands of current and former employees at the Federal Deposit Insurance Corp. are being warned that their sensitive personal information was breached, leading to an unspecified number of fraud cases.

In letters dated last Friday, the agency told roughly 6,000 people to be "vigilant over the next 12 to 24 months" in monitoring their financial accounts and credit reports. The data that may have been improperly accessed included names, birth dates, Social Security numbers and salary information on anyone employed at the agency as of July 2002.

The agency said that in a "small number of cases," the data was used to obtain fraudulent loans from a credit union, but declined to specify how many or the credit union involved.

According to the letter, the breach occurred early last year, and it remains unclear why employees were not notified for nearly 18 months. The agency wrote that it learned of the breach only "recently," but did not explain how the breach surfaced or why it took so long to learn about it.

Nor did the letter say how the breach occurred, aside from stating that it was not the result of a computer security failure. In June 2003, the Government Accountability Office concluded that security weaknesses at the agency left some of its data vulnerable, though the report cited some improvements.

An FDIC spokesman referred all questions to the FBI, which yesterday declined to comment.

The FDIC workers join more than 1 million other federal employees whose data has been lost or stolen in the past six months, including some senators.

Banks, universities and large companies that buy and sell personal information also have reported breaches, exposing data on tens of millions of consumers.

In many of those cases, no theft or fraud cases linked to the breaches have surfaced.

But Michael Brown, president of Cardcops.com, which specializes in identity-theft protection, said thieves often wait six to 12 months after stealing data to use the information.

Many banks and other organizations provide breach victims with free credit-monitoring services for up to a year, and Brown said thieves sometimes wait until "the heat has cooled down."

Other thieves, Brown said, try to strike immediately, during a period when law enforcement officials typically ask the breached entity not to inform its customers or employees while an investigation ramps up.

The FDIC letter said that the employees whose credit was abused were "immediately contacted," but did not say what steps were taken to clear their names.


© 2005 The Washington Post Company