The Washington PostDemocracy Dies in Darkness

FDIC reports five ‘major incidents’ of cybersecurity breaches since fall

(Chris Ratcliffe/Bloomberg)

The Federal Deposit Insurance Corp. (FDIC) on Monday retroactively reported to Congress that five additional “major incidents” of data breaches have occurred since Oct. 30. FDIC also is launching “a new initiative to enhance security.”

The incidents involved the breach of taxpayers’ personally identifiable information, The Washington Post has learned. In each case, employees with legitimate access to the information were leaving the agency when they inadvertently downloaded the data along with personal files. The individuals involved provided affidavits saying the data was not shared.

FDIC considers these to be low-risk cases, but they each meet the threshold of 10,000 records inappropriately exposed. They are being retroactively reported now because the cases were closed before an FDIC Office of Inspector General decision in February to define “major incident” as one that involves at least 10,000 records.

The new initiative, according to a FDIC document, includes the use of computer software “to force encryption of portable devices” for many purposes. FDIC also will hire a contractor “to conduct an end-to-end assessment of the FDIC IT security and privacy programs, and to provide actionable steps to mitigate any program gaps identified.” A management software program will be implemented to allow the FDIC to locate misplaced, sensitive data, “recall it, and destroy it as appropriate, regardless of where the data are located.”

Last month, The Post reported that the personal information of 44,000 FDIC customers was breached by an employee leaving the agency. In that case, an internal memo from Lawrence Gross Jr., FDIC’s chief information and privacy officer, said the data was placed on a personal storage device by an employee “inadvertently and without malicious intent.”

That apparently was the case with the five incidents now being revealed and a similar October incident reported in April by the Federal Times.

The new security measures come in addition to a series of other steps taken by FDIC. They include a prohibition on the use of mobile media devices by most FDIC employees. “As of early April, if an FDIC employee connects removable media to his or her computer, it is blocked,” says the agency document.

Also, “monitoring of printed materials has been implemented in high-risk areas,” the document says, and in certain cases software can restrict the printing of sensitive information.

Read more:

[‘Inadvertent’ cyber breach hits 44,000 FDIC customers]

[Following the OPM data breach, Uncle Sam needs to step up recruitment of cyber talent]