FDIC Reports Security Breach

Add a U.S. federal government agency to the list of organizations faced with disclosing that personal data has been stolen.

The FDIC has notified former and current employees of the agency that personal data including name, date of birth, salary, Social Security number and other information had been stolen several months ago.

Although the data theft was discovered in March and letters were sent to affected employees at that time, the FBI subsequently found that data of all former and current Federal Deposit Insurance Corp. employees—not only those notified by the FDIC in March—had been compromised.

Not only is the security breach embarrassing for the FDIC, its also ironic, because the FDICs job is to issue alerts to financial institutions about how to handle sensitive information, said Gerry Gebel, senior analyst at Burton Group, a Midvale, Utah, research and advisory firm.

The security breach at the FDIC is just the latest in a series of high-profile cases of identity thefts.

In March, for example, Bank of America Corp. lost several data tapes containing personal information on more than 1 million federal employees.

Also in March, BJs Wholesale Club Inc. disclosed that customer information was compromised—something the Federal Trade Commission attributes to the wholesale club failing to encrypt data.

Other high-profile data breaches have occurred at ChoicePoint, Wells Fargo and others.

There are many reasons such data breaches are so prevalent in the United States, Gebel said.

"Other countries dont have the credit reporting infrastructure or the concept of the Social Security number, and some have very strict laws and penalties if companies misuse personal data," he said. "We are a lot more vulnerable to personal identity theft and fraud."

Although its always difficult to stop identity theft, Gebel suggested several methods the FDIC and other organizations can use.

/zimages/1/28571.gifRead more here about a scam that purported itself to be an e-mail from the FDIC.

In addition to sufficient technology and security controls that allow employees to see only the information they need to do their jobs, Gebel said most of the methods are more about the people and the process than the technology.

"Its about the procedures they put in place to guard the data as its being collected and entered into the system. Its about whether they shred the paper forms, and if they are in a filing cabinet, that they are kept under lock and key," he said. "And do they do background checks on the people who work in HR and payroll?"

To help stem the rising tide of identity theft, Congress is currently mulling over several potential laws that, similar to California SB 1386 and those in process in several other states, would require organizations disclose any unauthorized acquisition of information.

In the U.S. Senate, Dianne Feinstein, D-Calif., has introduced such a bill, dubbed the Notification of Risk to Personal Data Act.

Meanwhile, U.S. Rep. Melissa L. Bean, D-Ill., has introduced a companion bill that would require the government or any business that owns or licenses electronic data containing personal information to notify anybody whose personal information has been compromised. The bills also would create a clearinghouse to collect, track and report data breaches.

Sens. Charles Schumer, D-N.Y., and Bill Nelson, D-Fla., also introduced an identity theft bill that would give broader authority to the Federal Trade Commission and require more disclosure.

The Schumer-Nelson ID Theft Prevention Bill will create an FTC Office of Identity Theft to help victims of ID theft reclaim their identities more easily, regulate data merchants, and force companies to inform consumers in plain English that their information may be sold or given to an unaffiliated third party without their consent unless a box is checked.

The legislation, although not a complete solution, ultimately may help stem the tide of data breaches, Gebel said.

"It could provide some motivation, because companies for a long time loathed to discuss or disclose any security breach that occurred," he said. "Thats one of our greatest motivating factors for improvement—that they will be forced to report this to customers."

But even with new legislation in place, Gebel said he expects the situation to get worse before it gets better.

"There is both the motive and the opportunity for identity thieves," he said. "They are making a lot of money, and were making it easy for them."

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.