A former employee of the Federal Deposit Insurance Corp. (FDIC) departed the agency with a storage device that contained data and information involving 44,000 FDIC customers, a FDIC representative told SCMagazine.com.
While FDIC Chairman Martin J. Gruenberg said in a March 18 memo that the data was downloaded to the storage device “inadvertently and without malicious intent,” the device included customer names, addresses and Social Security numbers, according to a report in The Washington Post.
“The FDIC’s investigation does not indicate that any sensitive information has been disseminated or compromised,” said the memo, obtained by the Post.
According to the representative, the employee, who has not been named, departed the FDIC on February 26. Three days later, using software that tracks and detects downloads, the agency discovered that the information was downloaded onto the storage devices. The former employee was contacted and returned the storage device on March 1. The former employee signed an affidavit indicating the breached information was not used, the representative noted.
Rep. Lamar Smith, chairman of the House Science, Space and Technology Committee, sent a letter to Gruenberg, the FDIC’s chairman, on Friday in which he requested details about “all major security breaches involving FDIC information” since 2009, according to the Post.
The FDIC representative did not comment on whether the investigation looked into whether the employee’s personal device may have contained malware that could have compromised the personal data without her knowledge. “We are phasing out the ability to download to a removable device,” the representative told SCMagazine.com.
“In the high-tech world, to have saved sensitive information on thumb drives is a practice out of the Stone Ages,” said Yorgen Edholm, CEO of Accellion, in speaking with SCMagazine.com.
The vulnerability that led to the OPM breach would have cost millions of dollars, but the FDIC upgrade would have cost less than $50,000, he said. “I think it’s close to criminal.”
The FDIC “proactively reported” the incident to Congress “out of an abundance of caution,” the representative told SCMagazine.com. The former employee “did have business reasons to have the information,” the representative added, in speaking with SCMagazine.com.
Rep. Smith’s office did not reply to requests for comment from SCMagazine.com by press time.