The FDIC detected and quickly moved to mitigate a breach of 44,000 customer records after an employee leaving theagency inadvertently downloaded the data to a removable mediadevice Feb. 26.

Within three days of the breach, an agency data loss preventiontool detected the download. The employee returned the device withthe data the next day.

The employee, who worked in the FDIC's resolution andreceivership group, signed an affidavit confirming she did not inany way use or share the information, which contained names,addresses and loan numbers of customers affected by bankclosures.

“The FDIC's relationship with the employee has not beenadversarial,” FDIC CIO Lawrence Gross Jr. wrote in a March 18 memoto FDIC Chairman Martin J. Gruenberg obtained by the WashingtonPost, which first reported the news. “The FDIC's investigationdoes not indicate that any sensitive information has beendisseminated or compromised.”

The FDIC followed the mandates in the Federal InformationSecurity Management Act and reported the incident to Congress rightaway. Since February, the FDIC updated its policy to prohibitremovable storage device usage.

Despite the FDIC's efforts to mitigate the risks in theaftermath of the breach, the House Committee on Science, Space, andTechnology opened an investigation into the agency's historyof information security. Committee Chairman Lamar Smith(R-Texas) asked Gruenberg for details about the breach and allmajor security breaches involving FDIC information since 2009.

“As you know, sensitive information that is housed for anylength of time without proper measures in place to mitigatecybersecurity risks is susceptible to a breach,” Smith wrote. “Evenmore troubling, the potential for a breach is especially heightenedwhen sensitive information for over 44,000 individuals is storedwithout proper security measures.”

“The FDIC was lucky that the employee cooperated and returnedthe data. Not every company or government agency will fare sowell,” Gord Boyce, CEO of San Jose, Calif.-based file security firmFinalCode, said.

Boyce added, with all of the layers of security available,organizations have no excuse when it comes to preventing dataleakage of customer information or intellectual property.

“Securing sensitive information at the file level is the bestway to define individual access permission and ensures that you canmaintain control over your data everywhere it travels, inside oroutside the organization,” he said.

The FDIC breach serves as a cautionary tale of thesusceptibility of sensitive information no matter theintentions.

“Once unencrypted data is out there, it's out there.Organizations should foresee this occurring and apply file securityand policies beforehand,” Boyce maintained.