Employee walks off with 40,000+ customer records, says FDIC

The agency says the data download was accidental, promises to heighten security.

They knew something was wrong at the Federal Deposit Insurance Corporation in Washington, D.C.

Their cybersecurity monitoring showed an alert—someone had downloaded 44,000 customer records onto a portable media device, like a thumb drive, on February 26.

Even worse, that someone was a employee who had just left her job at the agency.

Was it theft from the FDIC, in charge of providing deposit insurance to help protect your money if your bank fails? No, according to spokesperson Julianne Breitbeil.

“What we had was a situation where an employee had departed the FDIC on February 26,” she told Archer News. “The FDIC uses a technology that tracks downloads to removable media. We did contact the employee on the same day.”

How did the FDIC customer data, including some Social Security numbers, end up on the portable drive?

By accident, Breitbeil explained.

“She did have a business reason to have the information in the first place,” Bretibeil said. “It was just a matter of downloading documents as she was leaving, her resume, headshots, that sort of thing.”

The former employee returned the drive on March 1, said Breitbeil, adding, “She did sign the affidavit stating that she had not used or shared any of the information.”

“Troubling”

The agency reported the data disappearance to Congress, according to Breitbeil.

An internal FDIC memorandum said the “breach” was inadvertent and without malicious intent, according to The Washington Post.

“The FDIC’s investigation does not indicate that any sensitive information has been disseminated or compromised,” the memo said.

The House Science, Space and Technology Committee requested more information about the breach in a letter to the FDIC, reported the Post.

Committee chairman Lamar Smith, R-Texas, called the breach “troubling,” according to the Post, and said, “The potential for a breach is especially heightened when sensitive information for over 44,000 individuals is stored without proper security measures.”

Accidental?

For some, the idea of an inadvertent download of that size rings false.

“Someone **accidentally** downloaded 44,000 customer records including personal identity information?” wrote one commenter online. “If you believe that, I have some Siberian real estate I want to sell you…”

“The problem is that there’s no valid reason to allow staff to dump a bunch of PII [personally identifiable information] onto their own thumb drives,” wrote another. “In a properly secured environment, nothing goes onto thumb drives.”

But a cybersecurity expert says it is possible for someone to make that kind of mistake.

“44,000 records is not a lot of data, not any more,” said James Arlen with Leviathan Security Group. 

Arlen created a sample spreadsheet with 1,000 rows of personal data to see how large the file might be in the FDIC case. Not very large, he concluded.

“It’s 125 KB for 1,000 rows,” he said. “Multiply by 44 and you’ve got just about 5 1/2 MB of data. Do you consider 5.5 MB to be a lot of data? That’s a six-minute MP3 song.”

Honest mistake?

The FDIC did not say exactly how the employee downloaded the data, but Arlen offers insight into how an accidental download could happen.

“Imagine for a moment that the employee was working on an Excel spreadsheet,” said Arlen. “It was a long day and near quitting time.”

The employee hits “Control-S” to save the document.

“The file dialog pops up and the employee quickly types a file name and hits enter,” continued Arlen. “Without checking the location the file was being stored to. Which was—because computers are unpredictable at times—the USB drive that the employee had been using earlier to open the spreadsheet that tracks attendance at their kid’s T-ball games.” 

“This is how you end up—if you’re me—with a bunch of unrelated stuff in your ‘Documents’ folder,” he said. “Because you just ‘default saved’ it instead of properly filing it.”

“It’s a totally innocent mistake,” he added. “One that could happen to anyone at anytime—not through a malicious act, but because people are people and they all screw up.”

Preventing on-the-job accidents

Many FDIC workers can no longer use portable media devices like flash drives and external drives, said Breitbeil. Some employees are still using them, however.

“There are some people that still have business reasons of having it,” she said. “We’re finding a way to phase it out.”

“I think we do take this situation seriously,” she added.

Arlen recommends further steps for organizations that want to prevent data download mistakes.

First, make sure the dialog box very clearly shows the save location of the data.

Also, he said, educate your people about the “potential harm that comes from a simple administrative/procedural error.”

And if it happens?

“Carefully don’t flip out when one of your users does something like this and potentially causes harm,” he said. “Work the problem, solve the problem.”

“Understand that, despite your best efforts, data IS going to walk out the door—what can you do to lessen the risk and ensure that you have a method for managing the resulting crisis,” Arlen said.