In yet another example of fragile security in federal cyber systems, data for 44,000 Federal Deposit Insurance Corp. customers were breached by an employee leaving the agency.
The breach occurred in February and was outlined in an internal FDIC memorandum obtained by The Washington Post. The March 18 memo from Lawrence Gross Jr., FDIC’s chief information officer and chief privacy officer, to FDIC Chairman Martin J. Gruenberg said the data were downloaded to a personal storage device “inadvertently and without malicious intent.”
“The FDIC’s investigation does not indicate that any sensitive information has been disseminated or compromised,” the memo said.
That’s good, yet it indicates a serious breach can result from a simple mistake and does not have to be a deliberate cyber theft. That was the situation with a massive heist revealed by the Office of Personnel Management last year. In that case, personal information, including Social Security numbers, of about 21.5 million federal employees and others was hacked.
The FDIC document does not indicate what information was taken, but does say the former employee had legitimate access to it “for bank resolution and receivership purposes.”
Part of FDIC’s mission is maintaining “stability and public confidence in the nation’s financial system.” Maintaining public confidence is hard to do when an employee can walk away with supposedly secure customer data apparently without even knowing it.
In a letter sent Friday to FDIC, Rep. Lamar Smith, chairman of the House Science, Space and Technology Committee, asked Gruenberg for details about the breach and “all major security breaches involving FDIC information” since 2009. Congress was notified because FDIC considered the breach to be a “major” incident under the Federal Information Security Modernization Act of 2014.
Calling the breach “troubling,” Smith said “the potential for a breach is especially heightened when sensitive information for over 44,000 individuals is stored without proper security measures.”
The former employee, who was not identified, left FDIC on February 26 with the personal storage device. Using technology to track downloads to removable devices, FDIC detected the breach on February 29 and the employee returned it the next day. “The FDIC’s relationship with the employee has not been adversarial,” the memo said.
Barbara Hagenbaugh, a FDIC spokeswoman, said the agency has eliminated the use of portable storage devices for most employees and plans to do that for others. The former employee signed an affidavit indicating the breached information was not used in anyway, according to Hagenbaugh. Some of the affected data included names, addresses and Social Security numbers.
Word of the FDIC breach comes as the White House announced a “Cybersecurity National Action Plan” to upgrade the government’s aging infrastructure. The plan includes “a $3.1 billion Information Technology Modernization Fund (ITMF) to further improve our nation’s cybersecurity and retire, replace, and modernize the Federal Government’s information technology (IT) legacy systems, which are costly to maintain and difficult to secure,” according to a White House blog item posted Friday by Tony Scott, the U.S. chief information officer.
The White House proposal includes identifying the government’s highest priority cyber projects, encouraging agencies “to develop comprehensive, high-quality modernization plans” and providing agencies with experts in IT acquisition from the General Services Administration.
“Ultimately, retiring or modernizing vulnerable and inefficient legacy IT systems will not only make us more secure,” Scott said, “it will also save money.”