When high profile retailers like Target or Home Depot suffer a data breach, it generally makes big news. When it happens to a federal agency, it's often less noticed.
So some consumers may be surprised to learn that FDIC, the agency that safeguards the nation's consumer banking system, has suffered several data breaches since 2013. Members of Congress say all the breaches were the result of FDIC employees going to new jobs and copying agency data to portable drives to take with them.
In a hearing Thursday, a subcommittee of the House Science, Space, and Technology Committee heard testimony from both senior FDIC officials and the agency's acting Inspector General.
Subcommittee Chairman Rep. Barry Loudermilk (R-Ga.) said he was troubled by what he called inconsistencies in FDIC testimony. He also accused FDIC of obstructing the committee's probe by not providing all the documents that were requested. He forcefully made that point in the video below, while questioning Lawrence Gross, FDIC's chief information and privacy officer.
The House subcommittee members said they established that FDIC had failed to notify any of the nearly 160,000 consumers that their sensitive information had been compromised, a step private sector firms are required to take immediately.
Both Republican and Democratic members of the subcommittee were said to be upset when FDIC termed a 2015 data breach as “inadvertent.” The committee says documents from the Inspector General show that it took several weeks to recover the portable storage device responsible for the breach, and that the former FDIC employee who took the drive hired a lawyer to negotiate its return.
“The FDIC has been less than forthcoming with Congress,” the subcommittee said in a statement. “From providing incomplete document productions to mis-characterizing the facts, this agency is obstructing Congress’ oversight and failing to protect taxpayers personally identifiable information.”
What the law says
Lawmakers points to the Federal Information Security Modernization Act of 2014 (FISMA) that requires the FDIC to notify Congress of major security incidences within seven days.
The subcommittee says the October 2015 incident that involved personal data for more than 10,000 individuals was not reported until more than four months after the breach, and only then after the FDIC Office of Inspector General prompted the agency to do so.
Last year Target paid over $39 million to settle charges relating to its 2013 data breach, in which million of credit card accounts were compromised.