A leading technology official in the House says a former Federal Deposit Insurance Corporation employee inadvertently triggered a major cyber breach that compromised 44,000 customers’ data.
Rep. Lamar Smith (R-Texas), chairman of the Science, Space, and Technology Committee, says a former FDIC employee breached the information of 44,000 FDIC customers more than a month ago.
In an April 8 letter obtained by Federal News Radio, Smith said a departing FDIC employee was transferring files from an office computer onto a personal storage device and “inadvertently” copied sensitive customer data from more than 44,000 individuals.
The employee left the agency on Feb. 26, but the agency realized the data was taken three days later. FDIC officials retrieved the device on March 1. Smith called the lapse in security “troubling,” and requested a briefing on the situation from FDIC once more information is available.
The Washington Post first reported news of the cyber breach Monday morning.
“Sensitive information that is housed for any length of time without proper measures in place to mitigate cybersecurity risks is susceptible to a breach,” Smith wrote to FDIC Chairman Martin Gruenberg. “The committee, therefore, wants to ensure that the FDIC is taking appropriate action to mitigate the risks posed by the security incident as well as any future cybersecurity risks, in accordance with federal information security requirements.”
Smith said the committee first learned of the data breach in a March 18 letter from Gruenberg. The Federal Information Security Modernization Act (FISMA), however, requires agencies notify Congress within a week of “major” security incidents, as outlined by the Office of Management and Budget.
The House Committee on Science, Space and Technology holds authority over the National Institute of Standards and Technology (NIST), which sets cybersecurity standards and guidance for FISMA compliance.
The FDIC data breach marks the latest in a series of cybersecurity black eyes for the government. Last summer, a malicious hack on the Office of Personnel Management’s databases exposed the personal information of more than 22 million individuals.
“Although the information was apparently downloaded from an agency database inadvertently, the Committee remains concerned about the handling of sensitive information and wants to ensure that the FDIC has proper controls in place to prevent further incidents,” Smith said.
Smith also asked the agency for documentation “on all major security breaches” dating back to the beginning of 2009. FDIC has until April 22 to respond to Smith’s request for information.
The FDIC did not respond to emails or phone calls seeking comment or further information.