WASHINGTON — The confidential living wills of several large banks were taken from the Federal Deposit Insurance Corp. by a departing employee who downloaded the data as part of tens of thousands of records on a zip drive, according to information revealed Thursday by a House subcommittee.
The event took place during the 2015 fiscal year, but was not separately disclosed to Congress until the agency's federally mandated annual report on information security. Even then, the FDIC provided only vague details on what happened. (Federal agencies are required to report to Congress annually on all cybersecurity incidents.)
"In one instance, sensitive business information regarding a limited number of large financial institutions was taken off premises by a departing employee," states the report, which was sent to Congress. "The sensitive information was recovered, and there is no evidence that the data was disseminated."
The confidential report, a copy of which was obtained by American Banker, did not detail what kind of data was compromised. But an investigation by the House Science, Space and Technology Committee revealed it included the living wills of several banks, according to panel staff.
That was supported by the written statement of Fred Gibson, the FDIC's acting inspector general, who told the panel's oversight subcommittee at a hearing Thursday that his office was investigating the "unauthorized release of sensitive resolution plans submitted by systemically important financial institutions."
An FDIC spokeswoman said that since the incident, the agency had phased out the use of removable media devices and implemented printing controls in the area where this employee had worked.
The agency's chief information officer, Lawrence Gross, told the panel Thursday that seven other incidents that had involved a departing employee downloading sensitive data on a zip drive — which were reported to Congress — all were accidental in nature.
"The individuals involved in those incidents were not computer proficient," Gross said. So much so, he added, that they could "inadvertently copy the entire hard drive."
Lawmakers were alarmed not just by the breach, but also the fact that it was not immediately reported. The Office of Management and Budget issued a memorandum in October — after the FDIC's breach — requiring federal agencies to report cybersecurity incidents deemed "major" to Congress within seven days. But this incident was never separately reported to Congress, according to subcommittee staff. (The FDIC spokeswoman said "we reported the incident to Congress [via the annual report] and referred it to the Inspector General.")
The FDIC's report to Congress mentions 20 information breaches during the 2015 fiscal year, nine of which involved personally identifiable information. The report claims those incidents were "determined to be of zero to low risk."
"For example, there were instances where sensitive financial institution information was mistakenly provided to a non-authorized party via an inadvertent email or via posting to an information exchange site in the wrong location," the report says. "The unauthorized parties were contacted in each case to destroy the sensitive information."
Each of the 20 incidents was reported internally within hours, the agency said. In most cases, it took less than an hour for the problem to be declared. Still, the report indicated that nine individuals had been potentially affected by the breaches, but none of those people were notified.
The FDIC has been hammered in recent days by continued revelations about the leaks. While it was previously known that former employees had walked off with tens of thousands of bank records, the idea that it included living-will data was only a rumor.
On Thursday, Rep. Barry Loudermilk, R-Ga., the subcommittee's chairman, also alleged that hackers based in China were behind a malware attack on the FDIC in 2010 that compromised the computers of Sheila Bair, the FDIC's chairman at the time, and other top agency officials.
Gross said Thursday that the FDIC would report any serious cyberattack — like the one that hit Bair's computer — immediately to Congress.
"I couldn't care less if they were reading the menu for the FDIC … if it's a bad actor that is in our system today, it falls in the 'major' category," he said.