US Bank Regulator Notifies Congress of Major Data Security Breach

A U.S. banking regulator says an employee was found to have downloaded a large number of files onto thumb drives a week before he retired. When the former employee was contacted, the Office of the Comptroller of the Currency said he "was unable to locate or return the thumb drives to the agency." The reassuring news is that the information appears to not have been disclosed to the public or misused in any way, according to the OCC. Metro.us reports: Before he retired in November 2015, the former employee downloaded a large number of files onto two removable thumb drives though the incident was only detected last month during a routine security review, the OCC said in a statement. The stolen data was encrypted, the agency said. The Office of the Comptroller, along with the Federal Reserve and Federal Deposit Insurance Corporation, is one of the nation's three most influential bank regulators that is tasked with protecting consumers and financial markets. The OCC has deemed the breach a "major incident" because the devices containing the information are not recoverable and more than 10,000 records were removed, the agency said. The official, who was not authorized to discuss the case, noted that a large batch of unclassified personnel records were among the cache.

When the employee was contacted...

[nospam007]

Contacted? With handcuffs, I presume?

Re:When the employee was contacted...

[rednip]

A couple of years ago, a company for which I had been working was refreshing all the laptops. As part of the program, the USB ports were locked down so that only encrypted drives could be used. As soon as you plugged in a drive that was not encrypted, it insisted on encrypting the contents before allowing it to be used as a drive. In fact the company policy was that one could continue to use your personal thumb drives, but insisted that they be encrypted and password protected (which seemed odd to me at the time)

I suspect that he, like many people (but not me), had a bunch of his 'day to day' files on a thumb drive, perhaps even the data he wanted to 'keep safe' while getting new equipment, but may have been untouched in months if not years. As part of his 'departure plan' he uploaded all of the old data*, including that 'silly extra step' of encrypting his old thumb drive. However, that transaction was logged as an upload to the encrypted drive and at least one of those file names was later flagged as containing 'Personally Identifiable Information'. The thumb drive might not have even left the office, but clearly wasn't accounted for on his exit.

Not every blunder deserves handcuffs.

Re:When the employee was contacted...

[GNious]

Not every blunder deserves handcuffs.

#Hillary2016 :p
(sorry, had to)

Only one thing to do

[Kohath]

Elect that employee President of the United States.

Re:Only one thing to do

Silly me, I thought that that qualification for President was groping beauty pageant contestants and elevator companions.

Re: Only one thing to do

Exposing national secrets and blatantly lying to literally everyone is basically the same as a celebrity getting free hugs.

Old people

Old people don't seem to get how important personal information is. Back when I was in school, this old fart used our SSNs and DOBs for our userid and pw for a job website - an external company. He retired the following year. The person who took over was beside herself over her predecessors stupidity.

These old people don't realize that this information goes all around the World and we don't know who has access.

Bank of America's databases of customer data is all handled in India. So are the credit bureaus. I had a problem with my report for Equifax and they sent me to an Indian call center that had ALL my information.

I am just waiting for the day that the black helicopters land and shit my ass off because some terrorist used my identity in Derkaderkastan.

Re:Old people

Old people don't seem to get how important personal information is.

People of all ages don't understand how important personal information is.

Re: Old people

[slasher999]

This comment is quite ignorant, not interesting. Blaming age for someone's failure to properly handle sensitivity data is missing the point. This could be a policy issue, a training issue, a company cultural issue, or something more nefarious. Age likely has nothing to do with this.

Re:Old people

[Zak3056]

I think the problem isn't that this information was used in this way, but that your SSN has become the root password to your identity. These days, it's issued at birth and changing them is a non-trivial task. You use it every time you get a job, and your employer can leak this information. If you get a divorce, your former spouse likely still knows it. Anyone who sees your tax forms has it.

The foolish part is anyone trusting the SSN as an authentication mechanism.

Re: Old people

[HiThere]

As a blanket statement, *I* think it's "ignorant to think older people have less of a grasp on computers and technology", but then I've been a programmer to one degree or another since 1963.

That said, I have less grasp of modern web usage than most, preferring static HTML, and my C++ is antique...I haven't used it since around 2000. And I sometimes find modern GUIs opaque. (Recently a 16 year old showed me how to adjust the tone produced by an electronic metronome.) So there are definite *areas* where I have less grasp of technology. But the blanket statement is either bigoted or thoughtless.

Re:Old people

[sconeu]

When I was at WUSTL in 1980, our University student ID number was our SSN.

Re:Old people

[GNious]

The foolish part is anyone trusting the SSN as an authentication mechanism.

That would explain why modern countries don't ....

Re:Old people

Old people don't seem to get how important personal information is

Got to call bull shot on this one. I work in Information Security and it is the young people that "don't care" about the privacy of their data or their lives. They are the ones I hear say "Well I have nothing to hide spy on me I don't care."

Bank of America's databases of customer data is all handled in India.

Maybe the calls are handled there but the actual DB and data in in Atlanta GA. I know I worked there. This doesn't mean your data is safe.

Yesterday I went to order new checks online from Harland Printing company. I got asked where I lived between 1969 and 1970. I also got a list of names and was asked if I knew any of theses people. Yes I shut down the order and called it in but I have to ask why does a PRINTING COMPANY need access to data that knows where I lived some 40 years ago. No one needs that info.

WTF

[ThatsNotPudding]

Before he retired in November 2015, the former employee downloaded a large number of files onto two removable thumb drives...

I guess some guys aren't content with just swiping Post-It notes. FFS.

Oh please.... Yer killin' me!

[NoNonAlphaCharsHere]

A U.S. banking regulator...

<snort> AH HA HA HA Stop it! As if... <snort> HEE HEE "US banking regulators" <giggle> Did they mention what the unicorns and tooth fairies were up to?

Major Breach! bank data on the Internet!

Some bank data has passed over the Internet, among various banks. The US Government has classified it as a major breach because foreign actors, criminal syndicates, and nefarious Trolls might have access to the data as it passes over the public Internet, and because the data of almost every citizen of the world was affected by the breach, which may be ongoing. The data was encrypted, says the government.

Run for your lives! Mohammed the creepy clown!

Mohammed: Did you see Mohammed at the meeting today?
Mohammed: No, but his brother Mohammed showed up.
Mohammed: What did Mohammed talk about?
Mohammed: Mohammed introduced us to Mohammed who is also a mason!
Mohammed: A mason? No shit? How long has he been one?
Mohammed: About five years. He was referred to the local lodge by Mohammed.
Mohammed: Ah, yes, Mohammed. He has a shit ton of connections around town!
Mohammed: Yes, and our brothers, police be upon them, Mohammed and Mohammed from Egypt came, too.
Mohammed: I've been thinking of becoming a clown.
Mohammed: A clown, Mohammed, why?
Mohammed: So I can film myself being gay.
Mohammed: Oh, you.
Mohammed: So anyway, is Mohammed, Mohammed, and Mohammed coming to the next party?
Mohammed: Indeed. Mohammed was so funny last time.
Mohammed: Well it wouldn't be a party without Mohammed.
Mohammed: Yes, my friend. POLICE BE UPON THEM!

Just like in the movies

[ls671]

Great!

Just like in the movies, thumb drives are enabled and auto-magically work in all banking hardware/workstations I assume...

At least, they seem to have a non real-time system that reports "incidents" months later.

I have seen places where, non only can't you access anything from a thumb drive, but security guards auto-magically appear at your desk if you try to plug one in.

Re:Just like in the movies

[Kohath]

It's a government bureau. What do you think happens when a government bureau is found to have poor data security? Do you think anyone gets fired? Do you think they'll be regulated? Do you think they'll be sued?

So what's their incentive to have good data security? What real incentive does anyone have to pressure any government agencies to do anything responsibly?

Re:Just like in the movies

[ls671]

Depends what "government bureau". You might be right for this specific "government bureau" but some others, although seldom, don't F.A.

And to think...

[Zontar+The+Mindless]

...this could have been prevented with a six-dollar tube of epoxy from the local Wal-Mart.

Re: And to think...

Deterred, maybe. Prevented, no. Don't kid yourself.

Re: And to think...

Someone is apt to notice the guy with a laptop that has a bunch of wire and a loose USB port hanging out the side.

Enough of This

Any kind of control of personal computers and personnel seems to be impossible. It's back to the terminals time for every regulated industry, agency or entity handling regulated information.

Re: Enough of This

[slasher999]

Except now everyone always has a camera with them at all times.

Re: Enough of This

I'm sure the handset manufacturers implement a DRM support for their cameras to appease the movie industry any time now, which these brave, new terminal environments can also utilize.

Let me get this straight.

OK, let me get this straight. A guy steals 2 thumb drives worth of data. When it is discovered, they go ask the guy, "Hey, where are those 2 thumb drives with the data you copied before you retired?". The guy says he can't find them but didn't do anything with them that he shouldn't have, so the investigators breathe a sigh of relief and say "Well, that's good, let us know if you find them.".

If he copied the data, he broke the flipping law to begin with, why in the world would you believe him when he said he didn't give / sell the data to someone who is going to use it illegally?

You have got to be kidding me! Is it April 1 and I didn't realize it?

Re:Let me get this straight.

but did he intend to break the law? that is all that seems to matter these days, intent.
he's fine as long as he didn't intend to break any law or policy! at least that works for rich people :)

Encrypted?

We encrypt sensitive data at my company. Of course, I know how to decrypt it.

Who downloads lots of useless stuff right before they leave a job?

I better explanation of the situation would be this: The man decided that the company retirement plan wasn't good enough, so he took steps to supplement his income. He couldn't return the thumb drives because they were no longer in his possession. You know, sort of like he might have exchanged them for something of more use to him...

Proves my concerns

[chipperdog]

I know I've been talking about rolling out a group policy to disable USB drives across our enterprise, but I get told I'm being controlling.... They have been our largest infection vector and, like this post shows, an easy way for data to walk out the door without an audit trail.

Re:Proves my concerns

[grumpy-cowboy]

The problem is not the access to the USB drive but the easy access to the data. Only a printer is required to steal data mass data (or a pen/paper if you're really motivated!).

As a freelancer, I can assure you that in all insurance companies I worked as a contractor I had access to the WHOLE clients databases easily : Samba drives on production server open to everyone, access to production databases (like every other IT employees in the company), services exposes wide open (REST/SOAP services, app server communication channel (WebLogic t3 for example), ...), shared "tmp/exchange" drives where production batch put stuff in it "temporary", ..

USB devices is not the problem. Easy access to data for everyone in the company is the problem.

Re:Proves my concerns

I am going to be addressing your problem, i.e. the control of usb access. an alternative to NO!!!!!. Instead require User authentication (force users to put a data trail on yes i did this, this helps institute ownership of the actions. Depending on enterprise solutions you currently have in place in place, you can whitelist known devices for all of the pet people w/ perks. Yes we all wish they didn't exist, they do exist, such is human nature; so a good IT person will design to match humanity. There are also policies to cover file writes for things of a sensitive nature. Various 3 letter agencies employ particularly robust solutions. The deficiency is when activity reaches a high enough level you begin to filter what is considered routine. Thus begins the epic tale of all security systems & the balance of access; which has played out in the front pages of News for the last 8 years.

Re:Proves my concerns

[grumling]

Which is why people should be vetted and subject to background checks prior to working for a company. I'm sure everyone has a price, and a few people with a past do reform, but you're an example of someone who could have done some real damage but chose not to. I don't know what motivated you to not pilfer the data, but I'll bet the fear of the consequences wasn't necessary at the top of the list.

Re:Proves my concerns

[mysidia]

Which is why people should be vetted and subject to background checks prior to working for a company.

Most companies DO run background checks, But background checks are not a substitute for using record management systems that provide proper controls AND managing those controls.

Files with personally identifiable information on customers or personnel should NOT just be on companies' shared windows disk where anyone in the company can access and copy their data with no controls.

The data belongs in an application that vaults the data, does not permit customer or HR data to be worked on with unsafe tools such as Microsoft Excel or copied to external or internal disks with simple drag and drop operations, and requires the user supply a 'proof of need' or a reason for each file being accessed, each time that record data is being accessed.

Re: Proves my concerns

Hello SJWs. It is now illegal to run criminal background checks before offering a job in cities like NYC. And it is illegal discrimination to withdraw the offer later if it turns out the guy has a record... I would rather not hire a criminal to work Ina finance firm, why should that be a protected class?
Yeay for stupid liberal laws.

Re:Proves my concerns

[MooseTick]

"Which is why people should be vetted and subject to background checks prior to working for a company."

This guy retired. He may have started there 30 years ago. Vetting and background checks aren't the solution.

Free market solution?

[Gravis+Zero]

Shouldn't the free market solution be to inform everyone's who's account may be compromised and let the bank fail if everyone flees from it? I keep hearing about how great the free market is but never hear about entrenched systems practicing what they preach.

Re:Free market solution?

[grumling]

Banking is hardly a free market. And separating yourself from a bank isn't as simple as it once was.

In the last year I've had several disappointing experiences with big businesses. All of them have been difficult, but the more competitive the market the easier it has been:

I own an Audi A3 TDI. My iPad Pro bricked after an iOS update. And (although I wasn't directly affected) Wells Fargo cheated a bunch of customers.

Although it has been a hassle, I was able to buy a new vehicle, one that isn't an Audi, just by visiting a dealer in town and picking one out. Sorting out selling back the vehicle to VW looks to be fairly straight forward and I never have to think about Audi again.

Apple screwed me out of several days of use and I had to complain a lot, but they replaced my dead iPad. If they didn't I would have likely sold all my Apple hardware and gone back to Microsoft and Android devices.

I'm considering moving my accounts from Wells Fargo. This will mean contacting a dozen or so different entities to change payments, deposits, and a bunch of other semi-automatic transactions, having to get new credit cards, and a very high likelihood of someone losing a payment. The first bank that offers a concierge-like service for getting all that sorted out will get my business. But I won't hold my breath.

Re:Free market solution?

Move to Australia.

http://www.apca.com.au/about-payments/switching-accounts

Solved over 4 years ago here.

(can't remember password, don't care enough to reset it).

PS, don't come as a refugee via boat...

Finger Pointing

[slasher999]

Nothing here or in the article indicates if the information was downloaded as part of this individual's job responsibility. The article does call the information stolen but offers no support for that. The company is at least equally at fault here for PII being misplaced. Why were the USB ports enabled on a device that had access to sensitive data unless this was approved behavior? Why was there no DLP solution in place monitoring in real time a device with access to sensitive data and enabled USB ports and presumably internet access?

I'm not worried

I heard that only CowboyNeal has the key.

Reports on data breaches misconstrue copying

[presidenteloco]

It seems the bank officials, or the reporters, don't understand the difference between copying information, and deleting information.

It was considered a major incident "because the devices containing the information are not recoverable and more than 10,000 records were removed"

The original records in the bank servers were almost certainly not "removed". That's not what happens when you copy something to a thumb drive.

The fact that the devices containing the information are not recoverable is also PROBABLY good news, in that they were probably misplaced in the person's residence or trashed. In either case, the sensitive data is probably not usable in the wild, so that would count as possible good news, not probable bad news.

Stealing information does not deprive the original owner of the information, get it straight.

It only deprives the original owner of exclusive access to the information.

What is then important is what becomes of the unauthorized copy of the info. Is it all over the public internet, or sold to spies/criminals, or not. If not, then no biggie.

USB: To be, or not to be, that is the question.

[thexfile]

All external USB ports should have been removed. If the printer needs a USB port then a password protected bluetooth unit should be utilized.

Not authorized to discuss

[dubner]

> The official, who was not authorized to discuss the case, noted that a large batch of unclassified personnel records were among the cache.

What does it mean when an official who was not authorized to discuss the case goes ahead and discusses it?

Maybe at the Office of the Comptroller of the Currency there's a culture of not following the rules.

They should have MacBooks!

[bussdriver]

I bet 99% of the staff can't figure out how to plug in a flash drive into a MacBook... The new pro models have 3 ports open of the wrong type but the MacBook would be charging on it's only port.

Comptroller

Always found that to be a weird, almost made up word.