The House Committee on Science, Space and Technology is asking the Federal Deposit Insurance Corporation for a host of documents around a major data breach in October as part of a Congressional investigation, according to a letter Committee Chairman Lamar Smith, R-Texas, sent to FDIC Chairman Martin Gruenberg, obtained by Federal Times.
The letter — dated April 20 — relates to an October incident in which a former employee walked out with thousands of sensitive records stored on a thumb drive, including at least 10,000 Social Security numbers. The FDIC didn't recover the data until December and failed to report the breach to Congress for almost four months, all while the CIO and inspector general battled over whether the leakage constituted a "major" incident.
Federal Times first broke this story on April 20, citing an internal IG memo detailing the incident and the ensuing deliberation.
FDIC officials reported a similar breach to Congress in February — in which a former employee left with thousands of sensitive records that were returned days later — however the Committee is particularly interested in this breach because of how long the files were outside government networks.
"Given the severity of the breach — compromising over 10,000 individuals' sensitive information — the nearly two-month time frame the FDIC required to recover the device raises serious questions about the FDIC's cybersecurity posture and preparedness to appropriately minimize damage in the aftermath of a breach," the letter reads.
Furthermore, Smith said the Committee is concerned about FDIC's failure to promptly report the breach to Congress, as required by law.
"The FDIC's apparent hesitation to inform Congress of the security incident not only raises concerns about the agency's willingness to be transparent and forthcoming with Congress but raises further questions about whether additional information stored in FDIC systems has been compromised without being brought to the attention of Congress," he wrote.
In fact, FDIC officials told Committee staff during an April 21 briefing there are "additional 'major breaches'" that have yet to be reported, a Committee aide told Federal Times. During that meeting, officials told Committee staff they plan to retroactively report any outstanding breaches.
"The FDIC waited over four months to report a major security breach that left more than 10,000 customers' personally identifiable information exposed," the aide said. "Even more concerning is that the FDIC has apparently withheld reporting additional major breaches to Congress."
The letter asks for detailed documentation on four specific topics:
- All documents and communications referring to relating to the October 2015 security incident, including all communications with FDIC OIG.
- A detailed description of the position, grade and duty location of the former FDIC employee responsible for the breach.
- A detailed description of the sensitive information copied onto the former FDIC employee’s portable storage device.
- All documents and communications referring or relating to OMB memo M-16-03.
The Committee gave FDIC officials until noon on May 4 to comply.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.