April 14, 2016 — What Banks Can Learn from the FDIC Data Breach
Robert Capps, VP of Business Development at NuData Security, comments on the FDIC Data Breach.
The FDIC’s recent data breach of 44,000 records is a case study, mostly in how to handle a security incident well. It also highlights additional security controls all financial institutions should have in place. On Friday, Feb. 26, an FDIC employee was packing up; it was her last day at the agency. She downloaded some personal files, such as family photos and her resume, from her work computer onto a USB drive to take home. At the same time, the FDIC later discovered, she inadvertently downloaded 44,000 customer records, including personally identifiable information, onto the portable device. The following Monday, the FDIC’s data loss protection software detected the compromise of records and alerted security staff. The FDIC contacted the ex-employee immediately and asked her to return the drive; the agency had it back by March 1.
Robert Capps, vice president of business development at NuData Security, a provider of software that monitors human behavior for signs of security infringements, applauded this step. “There are legitimate reasons to move files around a company on portable media, because sometimes email or file shares is not the right play,” he said. “But you have to take precautions on that data to ensure that it’s transferred to media that’s encrypted.” Conroy said she was surprised the agency didn’t already have such an anti-USB policy. “That is definitely a best practice,” she said. “At a number of banks I talk to, if there are computers that have access to this kind of sensitive customer data, for instance in contact centers, the USB ports on those computers are physically sealed off.”
For the complete article, go here.