FDIC employees' data stolen
An 'unauthorized release' of data let thieves get social security numbers, dates of birth and names of anyone with official FDIC pay status as of July 2002.
Thieves have stolen the personal data of thousands of current and former Federal Deposit Insurance Corp. employees.
Social security numbers, dates of birth and names of anyone with official FDIC pay status as of July 2002 were among the information stolen. The thieves have already used the information to obtain fraudulent loans from a credit loan "in a small number of cases," according to the agency.
Officials of the bank account insurer describe the theft as an "unauthorized release" of personal information, rather than a hacking incident. "This breach was not the result of a failure of our information systems security programs," said Arleas Upton Kea, director of the agency's administration division, in a June 10 letter to current and former FDIC employees.
The information was stolen during early 2004, Kea said. Agency officials only recently learned of the loss from the FBI and the FDIC's office of inspector general, Kea says in the letter. Those organizations will jointly investigate the matter.
The FDIC has been criticized for weak information security in the past. A Government Accountability Office audit conducted in September 2004 through February 2005 found that the agency inadvertently granted 250 users of its information systems access to data including payroll and personnel information.
Neither were the activities of those users being logged for later review, GAO investigators found. "As a result, increased risk exists that individuals could circumvent security controls to read, create, or modify critical or sensitive programs and data, possibly without detection," the GAO report states.
Agency workers are advised to contact all three major credit bureaus to obtain credit reports. Those charged for the reports can expense the cost, up to a maximum of $30, Kea's letter says. Extra employee vigilance over suspected incidents of identity theft will be required for the next 12 to 24 months, she added.
NEXT STORY: GAO: Feds miss mark on security reporting