Former Employee Mistakenly Takes FDIC Data with Him on the Way Out
Insider attack; Unauthorized use of user privileges; Unauthorized use of employer’s data
An internal Federal Deposit Insurance Corp. memo says the information was downloaded to a personal storage device “inadvertently and without malicious intent.”
The former employee, who wasn’t identified, left the FDIC on Feb. 26, 2016 with the thumb drive. Using technology that tracks downloads to removable devices, the agency detected the breach on Feb. 29, 2016. Thee employee returned the device the next day. “The FDIC’s relationship with the employee has not been adversarial,” the March 18, 2016 memo said.
The notice does not state what information was taken, but does say the former employee had legitimate access to it “for bank resolution and receivership purposes.”
Congress was notified about the mistake because the FDIC considered the breach to be a “major” incident under the Federal Information Security Modernization Act of 2014.
“The FDIC’s investigation does not indicate that any sensitive information has been disseminated or compromised,” the memo said.
FDIC spokeswoman Barbara Hagenbaugh said the agency has eliminated the use of portable storage devices for most employees and plans to do that for others. The former employee signed an affidavit indicating the breached information was not used in any way, she said.
Financial Services; Government (U.S.)
April 11, 2016
Link to report
location of breach
location of perpetrators
date breach occurred
Feb. 26, 2016
date breach detected
Feb. 29, 2016