WASHINGTON (Reuters) - Members of Congress on Thursday grilled the main U.S. banking regulator about a recent raft of data breaches, highlighting two incidents where workers downloaded more than 10,000 sensitive and private records onto portable storage devices before leaving the agency’s employ.
After the Federal Deposit Insurance Corp uncovered those two breaches, it conducted a review and found five other instances when employees improperly stored and took personal information for tens of thousands of individuals, according to Representative Barry Loudermilk, a Republican who chairs a House of Representatives subcommittee on oversight and technology.
Altogether, more than 160,000 people were affected, Loudermilk said at a hearing covering the breaches.
“To date, FDIC has failed to notify any of those individuals that their private information may have been compromised,” he added.
The highest-ranking Democrat on the subcommittee, Representative Don Beyer, said the concerns were shared by members of both parties and added the FDIC was too slow in notifying Congress about the breaks in data security. It should have informed lawmakers within seven days of the incidents, he said.
The FDIC’s chief information officer and chief privacy officer, Lawrence Gross, told the hearing the agency is working to eliminate employees’ use of portable media and has installed technology blocking most employees from downloading data from its systems to DVDs, CDs and flash drives.
It is also looking into “digital rights management” software limiting the time period someone can access information and putting up other barriers to redistributing information.
Gross, who started his role in November, said he is conducting a “top to bottom review” of the agency’s information technology policies and planned to hire an independent third party to conduct an assessment.
The FDIC has said the downloads were inadvertent.
But members of Congress remained skeptical that the breaches were not intentional.
“In at least one case...a former employee who downloaded such data was evasive about her actions and not cooperative when initially confronted,” said Representative Bill Johnson.
“Some FDIC employees also suggest that it was highly improbable that this former employee’s actions were accidental. In addition this former employee is now working for a U.S. subsidiary of a non-U.S. financial services company which raises additional concerns.”
Reporting by Lisa Lambert; Editing by Cynthia Osterman