WASHINGTON - Banking regulators now have personal experience with something for which they have cracked down on the industry lately - data security breaches.
The Federal Deposit Insurance Corp. sent a letter to more than 6,000 current and former employees Friday alerting them to a breach at the agency that has resulted in at least 28 cases of identity theft.
"According to the FBI and the FDIC's Office of Inspector General, your name, date of birth, salary, Social Security number, and length of service information has been obtained without authorization by a person or persons outside the FDIC," said the letter, a copy of which American Banker obtained Wednesday. "In a small number of cases, this information is known to have been used to obtain fraudulent loans from a credit union."
FDIC officials were "recently" informed that the security lapse occurred last year and that those affected were "immediately contacted," the letter said.
"We acted as quickly as we could once we found out what happened," a spokesman for the FDIC said, but he said he could not provide more information about when the discovery was made or how the information was stolen, because the Federal Bureau of Investigation was looking into the matter.
In recent years the Government Accountability Office has criticized the security of the FDIC's information technology systems and demanded improvements, but the letter said, "This breach was not the result of a failure of our information systems security programs."
Lindsay Alexander, the chief executive of the $374 million-asset NIH Federal Credit Union, said an employee had made the loans mentioned in the letter. The employee began opening accounts in the late summer or early fall of last year using the identities of the FDIC employees and took out 28 fraudulent loans in their names, Ms. Alexander said.
The loans typically were worth between $10,000 and $18,000 and were not collateralized, she said. "The person we believe who created these loans knew how to stay under the radar."
In March, one of the defrauded individuals contacted the credit union about something suspicious, Ms. Alexander said, and the credit union began investigating before notifying federal authorities.
The loans were also suspicious because they were made to people not eligible to be members of the credit union, she said. It serves people associated with the National Institutes of Health, The George Washington University, and other employers.
The employee who made the loans is "no longer working for us," Ms. Alexander said. "I really don't know what their legal standing is. That part of the investigation I'm not really privy to." However, she said she had been told the FBI investigation was going well.
The FDIC Inspector General's Office referred questions on the case to the FBI, and a spokesman for the law enforcement agency would not answer questions about the matter.
Ms. Alexander said the credit union was reviewing its internal controls and procedures, and it has been in touch with each of the 28 victims to help them clean up their credit records.
This is not the first time a banking agency's personnel information has been compromised. In 2001 the Office of the Comptroller of the Currency disclosed that an employee of an independent contractor with access to personnel data had threatened several senior managers that their private information was for sale.
The OCC said at the time that the employee was trying to embarrass the contractor, and that the data was never truly for sale. Still, the OCC notified employees and told them to monitor their credit reports for signs of identity theft.
Citigroup Inc., Bank of America Corp., Wachovia Corp., ChoicePoint Inc., and other companies have reported lost or stolen customer data this year. Some of the incidents have led to instances of fraud.
In response to the breaches, banking and thrift regulators published guidelines in March on how banks should handle unauthorized access to customer information.
The regulators required banks to notify them of any breach immediately and then determine if and when customers should be notified. Customer notices should include a description of the event, how the institution is protecting customers, a phone number for more information, a reminder that customers should remain vigilant over the next one to two years, and a description of how customers can place a fraud alert in their credit report.
The FDIC's letter contained all of these provisions except a description of the event. The spokesman said that was absent because of the ongoing investigation.
CitiFinancial, which disclosed a data security breach this month, offered to pay for credit monitoring services for affected employees. B of A made a similar offer when former employees were accused last month of selling customer information.
The FDIC has not made such an offer but told employees they would be reimbursed if they obtained credit reports.
