Criminal investigation underway into banking regulator data breach

Criminal investigation underway into banking regulator data breach

A criminal investigation is underway over the removal of tens of thousands of taxpayers' personally identifiable information from the Federal Deposit Insurance Corporation (FDIC), the agency’s internal watchdog said Thursday.

ADVERTISEMENT

“I can confirm the existence of one criminal investigation arising out of the incidents that form the basis for today's hearing,” said FDIC Acting Inspector General Fred W. Gibson Jr. during a House Science, Space and Technology subcommittee hearing.

Gibson cautioned that case is open and “in a pre-indictment phase, which limits my ability to discuss it directly.”

The FDIC on Monday reported to Congress five "major" data breach incidents.

Each case involves employees with authorized access to the data who inadvertently downloaded information with personal files when they left the agency.

The individuals involved signed affidavits affirming that the information was not shared, and the FDIC considers them low-risk cases. But each case meets the 10,000-record threshold that defines a “major incident,” according to an FDIC Office of Inspector General decision in February.

The reporting follows an incident revealed in April in which a departing employee accidentally breached the data of roughly 44,000 FDIC customers.

According to an agency memo, the employee downloaded the information to a personal storage device “inadvertently and without malicious intent.”

“The FDIC’s investigation does not indicate that any sensitive information has been disseminated or compromised,” said the memo, obtained by The Washington Post.

The FDIC, which provides deposit insurance to banks to help ensure financial system stability, says that it originally judged the incidents to be too low-risk to necessitate informing Congress.

“It was my initial judgment based on several factors that these incidents did not rise to the level of major incident as defined in the OMB guidance,” said Lawrence Gross, chief privacy officer at the FDIC. “However, our office of inspector general reviewed one of these incidents and came to a different conclusion.”

Lawmakers on Thursday accused the agency of not taking the breach seriously enough.

"Mr. Gross, you and I are viewing this incident from a completely different perspective," Rep. Bill Posey (R-Fla.) said. "[You] call it a data breach. Where I'm from, we call it a theft if you take something that's not yours."

“I have a hard time understanding how you can inadvertently download 10,000 customer records or bank records,” Rep. Don Beyer (D-Va.) said.

Committee leaders strongly rebuked the agency for failing to disclose the breaches until urged to do so by the inspector general.

“The FDIC’s repeated efforts to conceal information from Congress are inexcusable. They raise significant questions about whether the agency actively attempts to hide potentially incriminating information from Congress,” said Chairman Lamar Smith (R-Texas).

“The FDIC is failing to live up to its mission of maintaining public confidence in the nation’s financial system because the agency is failing to safeguard private banking information for millions of Americans who rely on FDIC,” Oversight Subcommittee Chairman Barry Loudermilk (R-Ga.) said.