Officials at the Federal Deposit Insurance Corporation were reportedly aware of a major leak of personally identifiable information (PII) late last year but failed to inform Congress for several months, according to internal FDIC documents obtained by Federal Times.

In October 2015, a FDIC employee left the agency for a job in the private sector and took with her thousands of records containing highly sensitive information, including Social Security numbers, and loan and banking information for American citizens, according to a Feb. 19 report from FDIC Assistant Inspector General for Audits Mark Mulholland.

An investigation showed the former employee downloaded files onto a personal portable hard drive on Sept. 16 and 17, and Oct. 15, including "Suspicious Activity Reports, Bank Currency Transaction Reports, [Bank Secrecy Act] Customer Data Reports and a small subset of personal work and tax files," the report stated.

Among those files were some 10,000 Social Security numbers.

The exfiltration was discovered on Oct. 23 and referred to FDIC's Computer Security Incident Response Team and later the Data Breach Management Team, which investigated the incident further, according to the IG report. DBMT classified the incident as a breach on Nov. 25 and, on Dec. 2, determined that a large number of Social Security numbers has been compromised.

The FDIC reached out to the former employee's lawyer on Dec. 2 requesting the portable drive be returned no later than Dec. 8, which it was.

After a series of internal meetings, CIO Larry Gross and FDIC leadership reportedly decided the incident did not constitute a "major" breach as defined by the Office of Management and Budget and therefore was not required to be reported.

During the IG's investigation, Mulholland found the October incident did meet the threshold for a "major" designation and urged the CIO to report it to Congress by Dec. 9. He pointed to a stipulation under Federal Information Security Management Act that requires agencies to report such incidents to Congress within seven days after being labeled "major" and OMB memo M-16-03, which outlines this process in detail.

The OMB memo defines a "major" incident as one that involves classified or controlled unclassified information, is not easily recoverable, has a significant impact on the agency's mission or meets a certain threshold based on the number or importance of records exfiltrated. The memo includes a decision matrix to help officials determine whether this definition applies in specific instances.

"In our view, the incident should now be reported immediately," Mulholland wrote in the report.

Gross, who stepped into the CIO role shortly after the incident occurred, agreed with the "breach" designation but "made a determination on behalf of the FDIC that the incident was not major," according to the IG report.

The CIO offered four reasons for rejecting the "major" designation:

  • The employee was not disgruntled when she left the FDIC.
  • A belief that the employee accidentally downloaded the information when attempting to download personal information because the employee was not familiar with information technology.
  • The employee was working through significant personal issues, including a divorce and not living at her residence, presenting a distraction for the employee.
  • The FDIC ultimately recovered the USB drive from the employee.

The IG disagreed with this assessment, stating that the incident met three of the four factors OMB set forth for considering whether a security event should be reported. Mulholland went on to note the OMB guidance does not consider things like whether the employee was disgruntled.

OMB officials, "when provided hypothetical mitigating factors such as those the CIO referenced earlier … advised us that such factors would not be an appropriate basis for determining an incident is not major and does not require reporting to Congress."

Furthermore, the IG offered five reasons why the incident should have been reported:

  • The information was stored on a personal device, in an unencrypted format and without password protection. As a result, the information was accessible to anyone with access to the device. Further, the information was outside of the FDIC’s control for almost two months and no technical means exists to obtain assurance that the information was not accessed by others.
  • The employee’s new employer is a financial services firm owned by a parent company that is based in Bangalore, India.
  • The employee was not forthright with the FDIC when attempts were made to recover the information. For example, the employee repeatedly denied downloading the information and owning a portable storage device.
  • In November 2015, the employee’s former supervisor expressed concern about the content of the files downloaded by the employee and the fact that many of the files were downloaded on the employee’s last day of employment, which the supervisor believed may have indicated suspicious activity.
  • An employee who inappropriately copies information that he/she knows — or should know — to be highly sensitive at the end of his/her employment and who is at the same time dealing with major personal issues — e.g., a divorce, living in a hotel room, seeking employment — presents a heightened security risk profile.

The IG said the incident should have been reported to Congress by Dec. 9 — a week after it was discovered that Social Security numbers were included in the breach — or even earlier, on Nov. 6, based on initial investigations.

As of the issuance of the IG report, FDIC investigators have yet to decide whether to offer credit monitoring services or even whether to inform those affected by the October incident. This pace is far too slow, in Mulholland's assessment.

"Six weeks elapsed between the initial reporting of the incident and a determination of whether a breach had occurred and whether it required reporting," he wrote. "Additional decisions regarding notification to individuals and/or organizations impacted remain outstanding — almost four months after the incident became known."

An FDIC spokesperson told Federal Times that Gross ultimately concurred with the IG's recommendation and reported the incident on Feb. 26. As of this posting, it was unclear whether individuals whose Social Security numbers were exposed have been notified of the incident.

This wouldn't be the last time an employee left the FDIC with sensitive information. On April 11, the Washington Post reported another similar breach in which a former employee left the FDIC with some 44,000 records. A FDIC spokesperson told Federal Times there didn't appear to be any malicious intent behind this incident and that the data was quickly returned and the offending former employee signed an affidavit attesting that no one else had seen or taken possession of the information.

But this incident is different, as the exfiltrated information spent far more time outside FDIC networks.

"Our most significant and immediate concern, however, is that the FDIC needs to immediately report what we have concluded is a major incident to the appropriate Congressional committees," Mulholland wrote. "The information involved in the incident includes a large volume of highly-sensitive PII, which increases the risk of identity theft and consumer fraud for the affected individuals."

About Aaron Boyd

Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.

Share:
In Other News
Load More