It’s not exactly the heist of the century, but the FDIC has stirred up a bit of controversy. Departing FDIC employees downloaded their family photos, personal emails, and the sensitive data of over 100,000 bank customers–oops. Instead of reporting to Congress, the agency stayed mum for months. This earned the agency a strict chiding from their IG in the form of a special inquiry issued on April 16.
The blame falls on a combination of confusion and compliance issues. In eight separate incidents from late 2015 to early 2016, employees removed sensitive data from FDIC computers days before leaving their positions. None of the employees intentionally removed the data, but by downloading FDIC files, departing employees moved social security numbers, bank examination information, and “highly sensitive” bank resolution plans to their own devices. After discovering the incidents, the FDIC was able to track down the data and ensure that none of the employees had misused it, but according FISMA, the damage had been done.
It’s always the cover-up, never the crime. None of the eight incidents were reported to Congress within seven days, as required by FISMA. In addition to Congress, the FDIC did not share the incidents with the Financial Crimes Enforcement Network or consumers. Until the IG rang the alarm bell, the incidents remained within the agency for months.
Investors like to talk about FUD–fear, uncertainty and doubt. FUD is certainly a strong candidate to blame for the silence. The lack of clarity around the phrase “major incident” delayed the reporting process. The legal division declined to offer interim guidance, and guidance from the OMB came after the first incident. OMB’s guidance established a threshold of 10,000 records as a major incident, but the FDIC did not follow up with details for implementation.
As a result of the confusion, the FDIC considered mitigating factors in each of the incidents and determined that none of them qualified as “major”. Then-CIO Lawrence Gross, who left the agency in January, did not consult with the Data Breach Management Team (DBMT) on declaring the incidents as breaches.
In addition, the incidents came amid a flood of potential events. The agency received over 600,000 security alerts during the examined 6 months, each requiring manual review–imagine that in your inbox. The agency had nowhere near enough staff to keep up, and only reviewed incidents after employees left the building.
The IG also found that the FDIC relied too heavily on written statements from former employees, who all certified that they had not removed any confidential information before leaving the agency. So much for former employees being brutally honest with their bosses.
When it comes to IT security, the FDIC may need to worry a little less about deposit insurance, and provide public assurance.