FDIC Calls ‘Major’ Data Breaches Accidental

There is a difference of opinion within the federal government about what counts as a "major" data breach. The debate over the breadth and depth of the adjective is more than semantic. The failure of an agency to classify a cyberincident as a "major" one could stall reporting of the incident. 

For example, since October 2015, seven Federal Deposit Insurance Corporation employees who retired or moved on to other jobs each took with them 10,000 or more sensitive records inadvertently, according to FDIC Chief Information Officer Lawrence Gross. He did not categorize any of the losses as a major cyberincident at the time.

But under 2014 cyber reforms, the rules say if agency data remains outside the government’s control for at least eight hours or if the situation involves more than 10,000 records, that agency is dealing with a "major" incident that requires notifying Congress within seven days. 

Lawmakers, who were not informed of the FDIC incidents until recently, called in FDIC officials on Thursday to explain the apparent miscommunication. 

At least one breach the agency initially called accidental and later upgraded to "major” now is receiving a closer look from FDIC's inspector general.  

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Gross testified before a House Science Committee panel that he did not believe the breaches merited the "major" label, as defined last October by White House rules, because each worker had been authorized to see the data at issue.

An FDIC review determined the data was removed in error while each employee was downloading his or her own personal information in preparation for leaving the job. There was no evidence the information was distributed to anyone else, and each staffer had faithfully served for many years, Gross said. 

In total, these employees took records on more than 160,000 individuals off premises, according to the committee. None of the people affected have been notified or offered credit monitoring.

FDIC critics say in an age where network attacks and sneaky cyberespionage are not uncommon, even seemingly incidental breaches that fall into the "major" bucket should be reported straight away (all incidents, regardless of scope, are reported annually). 

The Case of the Inadvertent Download to a Personal Portable Device

Tensions peaked over the case of one employee who now works for a foreign financial services company.

The now-former staffer first told investigators she would never take agency information from her former employer and did not even know what an external hard drive is.

According to documents obtained by the committee, the staffer downloaded more than 10,000 personal records as well as “Suspicious Activity Reports, Bank Currency Transaction Reports, [Bank Secrecy Act] Customer Data Reports and a small subset of personal work and tax files."

She later refused to return the device that held the information until hiring a lawyer who then engaged in protracted negotiations with FDIC, the reports show. 

On Thursday, acting FDIC Inspector General Fred Gibson and lawmakers, including the panel's top Democrat, questioned the threat she posed to an agency that regulates $2.6 trillion in assets.  

"Nonadversarial?” Gibson said. “I mean, it seems to me that you could interpret these facts to suggest that she is adversarial. You could certainly interpret these facts to suggest that she is being less than candid or truthful."

House Science Oversight Subcommittee ranking member Rep. Don Beyer, D-Va., said: "We know that this person had gone to work for a foreign bank, had initially denied downloading, refused to turn over the drive and was going through a lot of personal problems [during a divorce]. Don't all of those elevate the sense of risk?"

Gross maintained the download was an innocent mistake.  

He noted agencies are granted discretion in characterizing events as "major" that do not meet the White House definition, and he thinks some breaches should be considered more severe. 

For instance, an intruder in the FDIC network who has not copied any information would not necessarily be a "major" threat under the standard, but that type of activity reaches the threshold for Gross.

"I could care less if they were reading the menu for the FDIC; if it's a bad actor and they are in our system, it is reported and it falls into the major category," he said. 

The parameters for urgent notification should be stricter to free up incident response professionals, Gross added.

When a well-resourced hacker enters a network, "the risk you run is that these incidents are then lost in the noise” of others that must be reported immediately, he said. "We want to make sure that we are focusing our energies and our time on those incidents that pose significant risk of harm to individuals or the organization." 

The Health and Human Services Department ran afoul of the “major” rule when the agency failed to notify lawmakers for two months about a fairly run-of-the-mill February break-in at a branch office. The crooks stole computer equipment used by HHS employees in an Olympia, Washington, building that potentially contained personal information on millions of people.

While acknowledging the major-minor yardstick for ranking cyber events is not a foolproof system, Rep. Darin LaHood, R-Ill., criticized FDIC's decision to underreport, rather than overreport.   

"The nature of the world we live in now with cyberattacks and foreign entities -- that's what's concerning about the protocol that you went through here," he told Gross.