An employee leaving the Federal Deposit Insurance Corporation (FDIC) may have exposed 44,000 FDIC customers’ personal information earlier this year, the Washington Post reports.
The breach, which took place in late February, was acknowledged in a March 18 memo from FDIC CIO Lawrence Gross, Jr., in which he said the data was downloaded to the former employee’s personal storage device “inadvertently and without malicious intent,” and that no sensitive information appears to have been “disseminated or compromised.”
It’s not clear at this point what data was accessed, but the memo states that the former employee had access to it “for bank resolution and receivership purposes.”
FinalCode CEO Gord Boyce told eSecurity Planet that the FDIC was lucky that the employee cooperated and returned the data. “Not every company or government agency will fare so well,” he said. “With all of the layers of security available, organizations have no excuse when it comes to preventing data leakage of customer information or intellectual property.”
“The FDIC breach serves as a cautionary tale that sensitive information can be taken with malicious intent — or in this case — completely by accident,” Boyce added. “Once unencrypted data is out there, it’s out there. Organizations should foresee this occurring and apply file security and policies beforehand.”
A recent Veriato survey of 400 employees found that over 50 percent of respondents said they believed they owned or shared ownership of the corporate data they worked on, making it acceptable to take corporate data with them when they left a job.
Thirteen percent of respondens said they thought it was okay to take login credentials with them, 7 percent said the same of customer data, 6 percent said the same of marketing and sales lists, and 5 percent said the same of financial data.
Almost 60 percent of respondents said they had never signed a confidentiality agreement.
“Companies need to do a better job educating their employees about what they can and cannot share or even use themselves when they move to another organization,” Veriato COO Mike Tierney said in a statement.
“The potential damage from even one employee taking confidential and proprietary customer data, software code or log-in credentials with them to a new job, especially with a competitor, is astronomical,” Tierney added. “Informing employees about who owns the data and how it can be used can eliminate much of that risk.”
A recent eSecurity Planet article suggested three ways to mitigate insider security risk.