When the FDIC recently announced that the personally identifiable information of thousands of people was leaked, it also was revealed that the breach occurred back in late 2015.
Officials were aware of the leak not long after it happened when an FDIC employee left the agency for a job in the private sector and accidentally took with her thousands of records containing highly sensitive information. An investigation found that the former employee downloaded files onto a personal portable hard drive on at least three occasions in September and October. That’s according to a report released in February 2016.
And yet none of this news was made public until April.
That means that more than six months passed in which American citizens were unaware that their social security numbers, loan and bank information had been breached. The investigation found the former employee didn’t act maliciously, didn’t mean to download the files, and returned the hard drive in December when the FDIC’s Computer Security Incident Response Team when requested.
So you might think, no harm, no foul, right?
But this incident highlights a major problem facing organizations of all types – any industry that deals with individuals’ PII data. What if this employee had accidentally lost the hard drive and it had fallen into the wrong hands? The possibilities are endless. Not all breaches are a result of hackers, but at times a simple mistake perhaps.
And what’s more – this was the second of these incidents to be reported by FDIC in April. It turns out, something similar occurred in February. For a company where a part of FDIC’s mission is maintaining, “stability and public confidence in the nation’s financial system.”
Organizations cannot afford to be cavalier about these situations. Security policies must be improved when it comes to internal policies.
As our own Robert Capps told the American Banker, “There are legitimate reasons to move files around a company on portable media because sometimes email or file shares is not the right play. But you have to take precautions on that data to ensure that it is transferred to media that’s encrypted.”
As we’ve seen time and time again, data breaches don’t occur in a vacuum. Whether unintentional or malicious, they pose a serious risk. User behavior isn’t easy to change, but with a multi-layered approach that involves behavioral biometrics and analysis, that risk is mitigated.
Accidental or not, risk is not going anywhere any time soon!