US Bank Regulator Notifies Congress of Major Data Security Breach (metro.us) 48
A U.S. banking regulator says an employee was found to have downloaded a large number of files onto thumb drives a week before he retired. When the former employee was contacted, the Office of the Comptroller of the Currency said he "was unable to locate or return the thumb drives to the agency." The reassuring news is that the information appears to not have been disclosed to the public or misused in any way, according to the OCC. Metro.us reports: Before he retired in November 2015, the former employee downloaded a large number of files onto two removable thumb drives though the incident was only detected last month during a routine security review, the OCC said in a statement. The stolen data was encrypted, the agency said. The Office of the Comptroller, along with the Federal Reserve and Federal Deposit Insurance Corporation, is one of the nation's three most influential bank regulators that is tasked with protecting consumers and financial markets. The OCC has deemed the breach a "major incident" because the devices containing the information are not recoverable and more than 10,000 records were removed, the agency said. The official, who was not authorized to discuss the case, noted that a large batch of unclassified personnel records were among the cache.
When the employee was contacted... (Score:2)
Contacted? With handcuffs, I presume?
Re: (Score:3)
A couple of years ago, a company for which I had been working was refreshing all the laptops. As part of the program, the USB ports were locked down so that only encrypted drives could be used. As soon as you plugged in a drive that was not encrypted, it insisted on encrypting the contents before allowing it to be used as a drive. In fact the company policy was that one could continue to use your personal thumb drives, but insisted that they be encrypted and password protected (which seemed odd to me at
Re:When the employee was contacted... (Score:4, Funny)
Not every blunder deserves handcuffs.
#Hillary2016 :p
(sorry, had to)
Only one thing to do (Score:5, Funny)
Elect that employee President of the United States.
Old people (Score:1, Interesting)
Old people don't seem to get how important personal information is. Back when I was in school, this old fart used our SSNs and DOBs for our userid and pw for a job website - an external company. He retired the following year. The person who took over was beside herself over her predecessors stupidity.
These old people don't realize that this information goes all around the World and we don't know who has access.
Bank of America's databases of customer data is all handled in India. So are the credit bureaus.
Re: Old people (Score:3)
This comment is quite ignorant, not interesting. Blaming age for someone's failure to properly handle sensitivity data is missing the point. This could be a policy issue, a training issue, a company cultural issue, or something more nefarious. Age likely has nothing to do with this.
Re: (Score:2)
As a blanket statement, *I* think it's "ignorant to think older people have less of a grasp on computers and technology", but then I've been a programmer to one degree or another since 1963.
That said, I have less grasp of modern web usage than most, preferring static HTML, and my C++ is antique...I haven't used it since around 2000. And I sometimes find modern GUIs opaque. (Recently a 16 year old showed me how to adjust the tone produced by an electronic metronome.) So there are definite *areas* where I
Re: (Score:3)
I think the problem isn't that this information was used in this way, but that your SSN has become the root password to your identity. These days, it's issued at birth and changing them is a non-trivial task. You use it every time you get a job, and your employer can leak this information. If you get a divorce, your former spouse likely still knows it. Anyone who sees your tax forms has it.
The foolish part is anyone trusting the SSN as an authentication mechanism.
Re: (Score:2)
The foolish part is anyone trusting the SSN as an authentication mechanism.
That would explain why modern countries don't ....
Re: (Score:2)
When I was at WUSTL in 1980, our University student ID number was our SSN.
WTF (Score:2)
I guess some guys aren't content with just swiping Post-It notes. FFS.
Oh please.... Yer killin' me! (Score:3)
<snort> AH HA HA HA Stop it! As if... <snort> HEE HEE "US banking regulators" <giggle> Did they mention what the unicorns and tooth fairies were up to?
Just like in the movies (Score:3, Interesting)
Great!
Just like in the movies, thumb drives are enabled and auto-magically work in all banking hardware/workstations I assume...
At least, they seem to have a non real-time system that reports "incidents" months later.
I have seen places where, non only can't you access anything from a thumb drive, but security guards auto-magically appear at your desk if you try to plug one in.
Re: (Score:2)
It's a government bureau. What do you think happens when a government bureau is found to have poor data security? Do you think anyone gets fired? Do you think they'll be regulated? Do you think they'll be sued?
So what's their incentive to have good data security? What real incentive does anyone have to pressure any government agencies to do anything responsibly?
Re: (Score:2)
Depends what "government bureau". You might be right for this specific "government bureau" but some others, although seldom, don't F.A.
And to think... (Score:2)
...this could have been prevented with a six-dollar tube of epoxy from the local Wal-Mart.
Re: Enough of This (Score:2)
Except now everyone always has a camera with them at all times.
Proves my concerns (Score:2)
Re:Proves my concerns (Score:4, Insightful)
The problem is not the access to the USB drive but the easy access to the data. Only a printer is required to steal data mass data (or a pen/paper if you're really motivated!).
As a freelancer, I can assure you that in all insurance companies I worked as a contractor I had access to the WHOLE clients databases easily : Samba drives on production server open to everyone, access to production databases (like every other IT employees in the company), services exposes wide open (REST/SOAP services, app server communication channel (WebLogic t3 for example), ...), shared "tmp/exchange" drives where production batch put stuff in it "temporary", ..
USB devices is not the problem. Easy access to data for everyone in the company is the problem.
Re: (Score:2)
Which is why people should be vetted and subject to background checks prior to working for a company. I'm sure everyone has a price, and a few people with a past do reform, but you're an example of someone who could have done some real damage but chose not to. I don't know what motivated you to not pilfer the data, but I'll bet the fear of the consequences wasn't necessary at the top of the list.
Re: (Score:2)
Which is why people should be vetted and subject to background checks prior to working for a company.
Most companies DO run background checks, But background checks are not a substitute for using record management systems that provide proper controls AND managing those controls.
Files with personally identifiable information on customers or personnel should NOT just be on companies' shared windows disk where anyone in the company can access and copy their data with no controls.
The data belongs in an appli
Re: (Score:2)
"Which is why people should be vetted and subject to background checks prior to working for a company."
This guy retired. He may have started there 30 years ago. Vetting and background checks aren't the solution.
Free market solution? (Score:3, Informative)
Shouldn't the free market solution be to inform everyone's who's account may be compromised and let the bank fail if everyone flees from it? I keep hearing about how great the free market is but never hear about entrenched systems practicing what they preach.
Re: (Score:2)
Banking is hardly a free market. And separating yourself from a bank isn't as simple as it once was.
In the last year I've had several disappointing experiences with big businesses. All of them have been difficult, but the more competitive the market the easier it has been:
I own an Audi A3 TDI. My iPad Pro bricked after an iOS update. And (although I wasn't directly affected) Wells Fargo cheated a bunch of customers.
Although it has been a hassle, I was able to buy a new vehicle, one that isn't an Audi, just
Finger Pointing (Score:3)
Nothing here or in the article indicates if the information was downloaded as part of this individual's job responsibility. The article does call the information stolen but offers no support for that. The company is at least equally at fault here for PII being misplaced. Why were the USB ports enabled on a device that had access to sensitive data unless this was approved behavior? Why was there no DLP solution in place monitoring in real time a device with access to sensitive data and enabled USB ports and presumably internet access?
Reports on data breaches misconstrue copying (Score:2)
It seems the bank officials, or the reporters, don't understand the difference between copying information, and deleting information.
It was considered a major incident "because the devices containing the information are not recoverable and more than 10,000 records were removed"
The original records in the bank servers were almost certainly not "removed". That's not what happens when you copy something to a thumb drive.
The fact that the devices containing the information are not recoverable is also PROBABLY g
USB: To be, or not to be, that is the question. (Score:1)
They should have MacBooks! (Score:2)
I bet 99% of the staff can't figure out how to plug in a flash drive into a MacBook... The new pro models have 3 ports open of the wrong type but the MacBook would be charging on it's only port.
Not authorized to discuss (Score:1)
> The official, who was not authorized to discuss the case, noted that a large batch of unclassified personnel records were among the cache.
What does it mean when an official who was not authorized to discuss the case goes ahead and discusses it?
Maybe at the Office of the Comptroller of the Currency there's a culture of not following the rules.