Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security Encryption Government The Almighty Buck United States News Technology

US Bank Regulator Notifies Congress of Major Data Security Breach (metro.us) 48

A U.S. banking regulator says an employee was found to have downloaded a large number of files onto thumb drives a week before he retired. When the former employee was contacted, the Office of the Comptroller of the Currency said he "was unable to locate or return the thumb drives to the agency." The reassuring news is that the information appears to not have been disclosed to the public or misused in any way, according to the OCC. Metro.us reports: Before he retired in November 2015, the former employee downloaded a large number of files onto two removable thumb drives though the incident was only detected last month during a routine security review, the OCC said in a statement. The stolen data was encrypted, the agency said. The Office of the Comptroller, along with the Federal Reserve and Federal Deposit Insurance Corporation, is one of the nation's three most influential bank regulators that is tasked with protecting consumers and financial markets. The OCC has deemed the breach a "major incident" because the devices containing the information are not recoverable and more than 10,000 records were removed, the agency said. The official, who was not authorized to discuss the case, noted that a large batch of unclassified personnel records were among the cache.
This discussion has been archived. No new comments can be posted.

US Bank Regulator Notifies Congress of Major Data Security Breach

Comments Filter:
  • Contacted? With handcuffs, I presume?

    • by rednip ( 186217 )

      A couple of years ago, a company for which I had been working was refreshing all the laptops. As part of the program, the USB ports were locked down so that only encrypted drives could be used. As soon as you plugged in a drive that was not encrypted, it insisted on encrypting the contents before allowing it to be used as a drive. In fact the company policy was that one could continue to use your personal thumb drives, but insisted that they be encrypted and password protected (which seemed odd to me at

  • by Kohath ( 38547 ) on Saturday October 29, 2016 @08:57AM (#53174709)

    Elect that employee President of the United States.

  • Old people (Score:1, Interesting)

    by Anonymous Coward

    Old people don't seem to get how important personal information is. Back when I was in school, this old fart used our SSNs and DOBs for our userid and pw for a job website - an external company. He retired the following year. The person who took over was beside herself over her predecessors stupidity.

    These old people don't realize that this information goes all around the World and we don't know who has access.

    Bank of America's databases of customer data is all handled in India. So are the credit bureaus.

    • This comment is quite ignorant, not interesting. Blaming age for someone's failure to properly handle sensitivity data is missing the point. This could be a policy issue, a training issue, a company cultural issue, or something more nefarious. Age likely has nothing to do with this.

    • by Zak3056 ( 69287 )

      I think the problem isn't that this information was used in this way, but that your SSN has become the root password to your identity. These days, it's issued at birth and changing them is a non-trivial task. You use it every time you get a job, and your employer can leak this information. If you get a divorce, your former spouse likely still knows it. Anyone who sees your tax forms has it.

      The foolish part is anyone trusting the SSN as an authentication mechanism.

      • by GNious ( 953874 )

        The foolish part is anyone trusting the SSN as an authentication mechanism.

        That would explain why modern countries don't ....

    • by sconeu ( 64226 )

      When I was at WUSTL in 1980, our University student ID number was our SSN.

  • Before he retired in November 2015, the former employee downloaded a large number of files onto two removable thumb drives...

    I guess some guys aren't content with just swiping Post-It notes. FFS.

  • by NoNonAlphaCharsHere ( 2201864 ) on Saturday October 29, 2016 @09:01AM (#53174717)

    A U.S. banking regulator...

    <snort> AH HA HA HA Stop it! As if... <snort> HEE HEE "US banking regulators" <giggle> Did they mention what the unicorns and tooth fairies were up to?

  • by ls671 ( 1122017 ) on Saturday October 29, 2016 @09:20AM (#53174759) Homepage

    Great!

    Just like in the movies, thumb drives are enabled and auto-magically work in all banking hardware/workstations I assume...

    At least, they seem to have a non real-time system that reports "incidents" months later.

    I have seen places where, non only can't you access anything from a thumb drive, but security guards auto-magically appear at your desk if you try to plug one in.

    • by Kohath ( 38547 )

      It's a government bureau. What do you think happens when a government bureau is found to have poor data security? Do you think anyone gets fired? Do you think they'll be regulated? Do you think they'll be sued?

      So what's their incentive to have good data security? What real incentive does anyone have to pressure any government agencies to do anything responsibly?

      • by ls671 ( 1122017 )

        Depends what "government bureau". You might be right for this specific "government bureau" but some others, although seldom, don't F.A.

  • ...this could have been prevented with a six-dollar tube of epoxy from the local Wal-Mart.

  • I know I've been talking about rolling out a group policy to disable USB drives across our enterprise, but I get told I'm being controlling.... They have been our largest infection vector and, like this post shows, an easy way for data to walk out the door without an audit trail.
    • by grumpy-cowboy ( 4342983 ) on Saturday October 29, 2016 @10:51AM (#53175023)

      The problem is not the access to the USB drive but the easy access to the data. Only a printer is required to steal data mass data (or a pen/paper if you're really motivated!).

      As a freelancer, I can assure you that in all insurance companies I worked as a contractor I had access to the WHOLE clients databases easily : Samba drives on production server open to everyone, access to production databases (like every other IT employees in the company), services exposes wide open (REST/SOAP services, app server communication channel (WebLogic t3 for example), ...), shared "tmp/exchange" drives where production batch put stuff in it "temporary", ..

      USB devices is not the problem. Easy access to data for everyone in the company is the problem.

      • by grumling ( 94709 )

        Which is why people should be vetted and subject to background checks prior to working for a company. I'm sure everyone has a price, and a few people with a past do reform, but you're an example of someone who could have done some real damage but chose not to. I don't know what motivated you to not pilfer the data, but I'll bet the fear of the consequences wasn't necessary at the top of the list.

        • by mysidia ( 191772 )

          Which is why people should be vetted and subject to background checks prior to working for a company.

          Most companies DO run background checks, But background checks are not a substitute for using record management systems that provide proper controls AND managing those controls.

          Files with personally identifiable information on customers or personnel should NOT just be on companies' shared windows disk where anyone in the company can access and copy their data with no controls.

          The data belongs in an appli

        • "Which is why people should be vetted and subject to background checks prior to working for a company."

          This guy retired. He may have started there 30 years ago. Vetting and background checks aren't the solution.

  • by Gravis Zero ( 934156 ) on Saturday October 29, 2016 @10:48AM (#53175003)

    Shouldn't the free market solution be to inform everyone's who's account may be compromised and let the bank fail if everyone flees from it? I keep hearing about how great the free market is but never hear about entrenched systems practicing what they preach.

    • by grumling ( 94709 )

      Banking is hardly a free market. And separating yourself from a bank isn't as simple as it once was.

      In the last year I've had several disappointing experiences with big businesses. All of them have been difficult, but the more competitive the market the easier it has been:

      I own an Audi A3 TDI. My iPad Pro bricked after an iOS update. And (although I wasn't directly affected) Wells Fargo cheated a bunch of customers.

      Although it has been a hassle, I was able to buy a new vehicle, one that isn't an Audi, just

  • by slasher999 ( 513533 ) on Saturday October 29, 2016 @11:02AM (#53175061)

    Nothing here or in the article indicates if the information was downloaded as part of this individual's job responsibility. The article does call the information stolen but offers no support for that. The company is at least equally at fault here for PII being misplaced. Why were the USB ports enabled on a device that had access to sensitive data unless this was approved behavior? Why was there no DLP solution in place monitoring in real time a device with access to sensitive data and enabled USB ports and presumably internet access?

  • It seems the bank officials, or the reporters, don't understand the difference between copying information, and deleting information.

    It was considered a major incident "because the devices containing the information are not recoverable and more than 10,000 records were removed"

    The original records in the bank servers were almost certainly not "removed". That's not what happens when you copy something to a thumb drive.

    The fact that the devices containing the information are not recoverable is also PROBABLY g

  • All external USB ports should have been removed. If the printer needs a USB port then a password protected bluetooth unit should be utilized.
    • I bet 99% of the staff can't figure out how to plug in a flash drive into a MacBook... The new pro models have 3 ports open of the wrong type but the MacBook would be charging on it's only port.

  • > The official, who was not authorized to discuss the case, noted that a large batch of unclassified personnel records were among the cache.

    What does it mean when an official who was not authorized to discuss the case goes ahead and discusses it?

    Maybe at the Office of the Comptroller of the Currency there's a culture of not following the rules.

Genius is ten percent inspiration and fifty percent capital gains.

Working...