In a blog entry from WeLiveSecurity.com – the ESET blog, we learned that the FDIC has been breached. Their systems appear to have been compromised using the systems issued to or belonging to a former employee. The data was downloaded to the employee’s personal storage devices. The breach occurred in February, and was not a malicious or externally sourced breach. However, the breach is not designated as ‘malicious’ and the FDIC is keen to promote the fact that no damage was done in the breach.
The personal information of 44,000 Federal Deposit Insurance Corp. (FDIC) customers has been breached by a former employee, who left the agency carrying the data on a personal storage device.
In an internal memorandum from the FDIC’s chief information officer to its chief privacy officer, obtained by the Washington Post, it was revealed that the breach occurred back in February, when the data was downloaded “inadvertently and without malicious intent” by the former employee.
The device had stored information including customer names, addresses and social security numbers, but it appears that no sensitive information has been disseminated or compromised.
As detailed in a report by SC Magazine, the unnamed former employee left the FDIC on February 26th, before being called back in by the agency three days later.
Using software that tracks and detects downloads, the FDIC learned that the information had been downloaded onto the ex-employee’s storage device, who later signed an affidavit indicating that the breached information had not been used.
While no serious harm may have been done in this instance, the incident highlights the weakness of security in federal cyber systems.
The fact that sensitive information for over 44,000 customers can be so easily downloaded to a personal storage device is a cause for concern and, as SC Magazine noted, the FDIC has not made clear whether the storage device in question has been checked for malware that could have compromised the data.
The news breaks at a time when the White House has proposed its Cyber-security National Action Plan, legislation that would establish a $3.1 billion Information Technology Modernization Fund to improve the nation’s cyber-security.
Detailed on the White House blog, the plan will include government-wide prioritization of cyber-security and the development of “comprehensive, high-quality modernization plans”.
While this breach was not malicious – it could have been prevented by using the Device Control features found in many modern endpoint protection systems – such as ESET Endpoint Security or similarly rich featured business endpoint protection system.
Such a system allows IT administrators to either lock down USB type devices (and CD/DVD-drives), such that data cannot be exported. Device Lockdown for devices that can be plugged into the business computers not only serves to prevent import of malware, but export of data.
If staff need to use USB thumb drives, these can be issued. Policy can be put in place to only allow the USB devices from a particular vendor, or even individual serial numbered devices issued to the employee. Such a policy would be HIGHLY advisable in Federal Govt. Departments!
Combine the lockdown of devices to known and issued USB thumb-drives, combined with use of ENCRYPTED THUMB DRIVES and you have a much more secure data-loss situation. Even if a USB devices is lost, the devices encryption keys can be revoked, and even without that, the data is not lost unless the encryption if broken. Losing a secure encrypted device is NOT a data-loss event, it is a device loss event.