The personal information of 44,000 Federal Deposit Insurance Corp. (FDIC) customers has been breached by a former employee, who left the agency carrying the data on a personal storage device.
In an internal memorandum from the FDIC’s chief information officer to its chief privacy officer, obtained by the Washington Post, it was revealed that the breach occurred back in February, when the data was downloaded “inadvertently and without malicious intent” by the former employee.
The device had stored information including customer names, addresses and social security numbers, but it appears that no sensitive information has been disseminated or compromised.
As detailed in a report by SC Magazine, the unnamed former employee left the FDIC on February 26th, before being called back in by the agency three days later.
Using software that tracks and detects downloads, the FDIC learned that the information had been downloaded onto the ex-employee’s storage device, who later signed an affidavit indicating that the breached information had not been used.
While no serious harm may have been done in this instance, the incident highlights the weakness of security in federal cyber systems.
The fact that sensitive information for over 44,000 customers can be so easily downloaded to a personal storage device is a cause for concern and, as SC Magazine noted, the FDIC has not made clear whether the storage device in question has been checked for malware that could have compromised the data.
The news breaks at a time when the White House has proposed its Cybersecurity National Action Plan, legislation that would establish a $3.1 billion Information Technology Modernization Fund to improve the nation’s cybersecurity.
Detailed on the White House blog, the plan will include government-wide prioritization of cybersecurity and the development of “comprehensive, high-quality modernization plans”.
