Officials at the Federal Deposit Insurance Corporation say the agency’s data breach was under control before data fell into the wrong hands, but the case serves as an important lesson that not all insider threats are malicious.
Simple negligence — losing an office laptop or copying the wrong file onto a flash drive — can be just the sort of vulnerability that can expose sensitive government data to the wrong people.
The FDIC said the employee who inadvertently copied 44,000 customers’ data onto a personal storage device signed an affidavit confirming that breached information had not been accessed.
Office of Communications spokeswoman Julianne Fisher Breitbeil told Federal News Radio on April 13 that agency IT systems alerted management to the data breach, which enabled FDIC to contact the employee three days after the breach.
Breitbeil said the employee regularly accessed the data for work purposes during her time at the FDIC.
Erik Knight, president of IT security company SimpleWan, told Federal News Radio that even without malicious intent, the FDIC breach exposes vulnerabilities that could be exploited by other hackers.
“I know they’re not a huge government organization, but they contain sensitive data. And most government organizations that have any kind of sensitive data, you’re not allowed to bring a flash drive on premise because of issues that have happened like this,” he said.
Bill Nelson, CEO at the Financial Services Information Sharing and Analysis Center (FS-ISAC), said financial agencies should have digital rights management systems in place that prevent employees from copying sensitive files onto a flash drive or as an email attachment.
“If information is out there that you’re sharing with either your employees or individuals outside your company, there are ways to actually encrypt that data or ensure that it doesn’t get copied,” Nelson told Federal News Radio. “So you couldn’t take, let’s say, a spreadsheet, or a Word document, or any type of file that has sensitive information. It’s marked. The policy of the organization has to be such that they will mark that type of data as sensitive and cannot be transmitted, for instance, by email.”
But strong IT systems don’t ensure data security unless an agency’s workforce also complies with good “cyber hygiene” practices.
“Most of the stuff out there is people-driven,” Knight said. “Hackers want to exploit the broken processes that people will use to gain access to that information. That happens more than anything, because the breakdown is the policy and the procedures, and they’ve just not caught up with the technology yet.”
Every major cyber breach that makes the news, Knight said, represents just the tip of the iceberg. In reality, agencies have to prevent malicious intrusions on a near-daily basis.
“When we hear these things and they hit the news, it’s often a very small subset, and somebody five or 50 times over did the same thing and actually compromised that data. So the scary part is that the ability was there and somebody most likely did it, even if this employee reported it.”
Nelson said agencies need to ensure that the workforce receives the training it needs to avoid spear phishing attempts through email, or simply not pick up a flash drive off the street and plug in into an office computer — the kind of trick that nearly one in five people would fall for.
“There should be better education, too, at companies, or in this case government agencies, about what’s permissible to leave the organization. And then the organization needs to strive to have policies and systems in place to prevent that from happening,” Nelson said.
When it comes to preventing the next big cybersecurity breach in government, Knight said agencies should realize that every office has sensitive information that’s valuable to hackers.
“That’s what I think we’re going to see more and more of, is even in government with smaller agencies that think ‘Hey, I’m completely off the radar. I’m unimportant, I don’t have that key information.’ There’s value there, and I think they’re going to be coming after them very hard,” he said.