Former FDIC Risk Analyst Under Investigation for Stolen Living Will Data

WASHINGTON — Allison Aytes, a former Federal Deposit Insurance Corp. employee in its Office of Complex Financial Institutions, is under investigation by federal authorities for allegedly stealing big banks' living will data on her way out.

Aytes left the agency in the summer of 2015, according to sources with knowledge of the issue, who said she downloaded sensitive information onto a thumb drive pertaining to the resolution plans of some of the banks. According to her LinkedIn profile, Aytes had worked as a cross-border risk analyst since 2010.

When the FDIC learned of the breach, the FBI searched her residence, sources said. It appears Aytes remains under criminal investigation. When reached by phone, Aytes declined to comment on the matter and referred all calls to Peter Pullano, a criminal defense attorney at Tully Rinckey, a law firm based in Washington. Pullano did not respond by deadline to multiple calls. The FDIC also declined to comment on the issue.

The FDIC's Office of Inspector General disclosed on May 12 that it was investigating the leak of sensitive data related to big banks' resolution plans. An investigation by the House Science, Space and Technology Committee showed that a former employee had taken the living will data.

But the identity and role of the employee remained unclear until now.

The breach apparently sparked a change in how the FDIC tracks down suspicious downloads. In September 2015, the agency reconfigured its data loss prevention program to ensure that it would also detect downloads to portable media devices, American Banker has found.

Amidst a congressional inquiry sparked by several more recent incidents, the FDIC also announced it had phased out the use of the technology on work computers.

"As of early April, if an FDIC employee connects removable media to his or her computer, it is blocked," said a May 9 memo the agency provided to American Banker.

But during a May 12 hearing in front of the House technology committee, FDIC Chief Information Officer Lawrence Gross said that only about half of the agency's employees are subject to the USB-drive block.

Other workers — including examiners who need to carry information with them on the field — are still allowed to use the devices. "My goal is to get to zero on use of mobile media," Gross told the panel.

The FDIC has also pledged to implement forced encryption for all such devices starting in May and to increase the monitoring of printed documents in "high-risk areas," the memo stated.

One positive note may be the agency's loss prevention program, which is helping to identify the improper downloads and other breaches quickly.

It is "providing information about certain data losses that have taken place. I don't know that anybody else has a similar program," said Fred Gibson, the agency's acting inspector general.

But some former employees and others familiar with the FDIC said they are appalled by the large number of incidents recently brought to light.

The FDIC was hit by a total of 20 information breaches during the 2015 fiscal year, nine of which involved personally identifiable information, according to a report to Congress obtained by American Banker.

And in the past few weeks, nine specific instances of former employees departing the agency with sensitive data have been reported publicly.

"Nine?" said one banking lawyer familiar with the living wills process. "Unbelievable. ... One, maybe two, tells you there's a bad apple. Nine tells you there's a culture issue."

Some have suggested that the breaches could have been avoided by limiting the use of portable media devices or by restricting the type of data that can be downloaded.

"They were creating an opportunity that most folks — I'm talking 10 years ago — have moved beyond," said the lawyer. "It's almost like they were still doing VHS recorders."

These breaches also highlight the types of problems all government agencies will increasingly have to contend with.

"The whole culture surrounding information and information security today is so different than it was historically," Gibson said. "I don't know that we have caught up culturally with the risks that are out there and are associated with that kind of information being more or less readily available."

But the FDIC also needs to uphold its reputation as a secure institution capable of handling sensitive data on U.S. citizens and banks, he added.

Cybersecurity "has an impact on the FDIC as an agency, it has an impact on consumers, it has an impact on the industry, it has an impact on the national economy," Gibson said.

In addition to the ongoing inquiry into the living wills breach, Gibson plans to produce another audit on the FDIC's response to cybersecurity incidents. Both reports are expected to come out in July.

For reprint and licensing requests for this article, click here.
Law and regulation
MORE FROM AMERICAN BANKER