On Thursday, May 12, the House of Representatives’ Science, Space, and Technology Committee scrutinized the FDIC’s data, privacy and security measures and response plans in a hearing, after the FDIC suffered a spate of data breaches in less than a year. In a press release after the hearing, the Committee had stern words for the FDIC—stating it had uncovered in the hearing “numerous inconsistencies” and accusing the FDIC of “obstructing the Committee’s investigation” by not properly complying with the Committee’s document requests.
Since October of 2015, the FDIC has experienced seven known data breaches of various sizes, resulting in compromise of the personal information of 160,000 individuals. Subcommittee Chairman Barry Loudermilk (R-Ga.) stated in the hearing that, “[t]o date, FDIC has failed to notify any of those individuals that their private information may have been compromised.” Although the FDIC confirmed that the affected individuals have yet to be notified, an FDIC spokesperson stated that the FDIC would do so and would provide credit monitoring to the victims.
Many of the data breaches appear to have been caused by employee violations of data security protocols, pursuant to which employees have improperly downloaded anywhere between 10,000 and 49,000 personal records and taken the sensitive information with them when moving to new jobs. The FDIC’s acting Inspector General, Fred W. Gibson, Jr., characterized these breaches as “inadvertent” and “low risk,” an assessment with which the Committee sharply disagreed on Thursday.
At least one data breach, however, may have been particularly serious. Rep. Loudermilk pressed FDIC agency officials on an advanced cybertheft that affected FDIC computers during 2010-2011, supposedly by China. Mr. Gibson responded that his office is currently conducting two cyber security audits, one looking into the agency’s detection and response protocols, and the other focusing on the FDIC’s controls for mitigating the risk of a breach of sensitive information from financial institutions.
Rep. Loudermilk stated that his Committee plans to continue its probe into the FDIC’s data privacy and security issues.
Reporter, Andrew M. W. Mutter, Atlanta, + 404 572-4705, email@example.com