Slashdot Mirror
US Bank Regulator Notifies Congress of Major Data Security Breach (metro.us)
A U.S. banking regulator says an employee was found to have downloaded a large number of files onto thumb drives a week before he retired. When the former employee was contacted, the Office of the Comptroller of the Currency said he "was unable to locate or return the thumb drives to the agency." The reassuring news is that the information appears to not have been disclosed to the public or misused in any way, according to the OCC. Metro.us reports: Before he retired in November 2015, the former employee downloaded a large number of files onto two removable thumb drives though the incident was only detected last month during a routine security review, the OCC said in a statement. The stolen data was encrypted, the agency said. The Office of the Comptroller, along with the Federal Reserve and Federal Deposit Insurance Corporation, is one of the nation's three most influential bank regulators that is tasked with protecting consumers and financial markets. The OCC has deemed the breach a "major incident" because the devices containing the information are not recoverable and more than 10,000 records were removed, the agency said. The official, who was not authorized to discuss the case, noted that a large batch of unclassified personnel records were among the cache.
Elect that employee President of the United States.
<snort> AH HA HA HA Stop it! As if... <snort> HEE HEE "US banking regulators" <giggle> Did they mention what the unicorns and tooth fairies were up to?
Great!
Just like in the movies, thumb drives are enabled and auto-magically work in all banking hardware/workstations I assume...
At least, they seem to have a non real-time system that reports "incidents" months later.
I have seen places where, non only can't you access anything from a thumb drive, but security guards auto-magically appear at your desk if you try to plug one in.
Everything I write is lies, read between the lines.
Shouldn't the free market solution be to inform everyone's who's account may be compromised and let the bank fail if everyone flees from it? I keep hearing about how great the free market is but never hear about entrenched systems practicing what they preach.
Anons need not reply. Questions end with a question mark.
The problem is not the access to the USB drive but the easy access to the data. Only a printer is required to steal data mass data (or a pen/paper if you're really motivated!).
As a freelancer, I can assure you that in all insurance companies I worked as a contractor I had access to the WHOLE clients databases easily : Samba drives on production server open to everyone, access to production databases (like every other IT employees in the company), services exposes wide open (REST/SOAP services, app server communication channel (WebLogic t3 for example), ...), shared "tmp/exchange" drives where production batch put stuff in it "temporary", ..
USB devices is not the problem. Easy access to data for everyone in the company is the problem.
Will $CURRENT_YEAR be the year of the Linux Desktop?
Nothing here or in the article indicates if the information was downloaded as part of this individual's job responsibility. The article does call the information stolen but offers no support for that. The company is at least equally at fault here for PII being misplaced. Why were the USB ports enabled on a device that had access to sensitive data unless this was approved behavior? Why was there no DLP solution in place monitoring in real time a device with access to sensitive data and enabled USB ports and presumably internet access?
This comment is quite ignorant, not interesting. Blaming age for someone's failure to properly handle sensitivity data is missing the point. This could be a policy issue, a training issue, a company cultural issue, or something more nefarious. Age likely has nothing to do with this.
I think the problem isn't that this information was used in this way, but that your SSN has become the root password to your identity. These days, it's issued at birth and changing them is a non-trivial task. You use it every time you get a job, and your employer can leak this information. If you get a divorce, your former spouse likely still knows it. Anyone who sees your tax forms has it.
The foolish part is anyone trusting the SSN as an authentication mechanism.
What part of "shall not be infringed" is so hard to understand?
A couple of years ago, a company for which I had been working was refreshing all the laptops. As part of the program, the USB ports were locked down so that only encrypted drives could be used. As soon as you plugged in a drive that was not encrypted, it insisted on encrypting the contents before allowing it to be used as a drive. In fact the company policy was that one could continue to use your personal thumb drives, but insisted that they be encrypted and password protected (which seemed odd to me at the time)
I suspect that he, like many people (but not me), had a bunch of his 'day to day' files on a thumb drive, perhaps even the data he wanted to 'keep safe' while getting new equipment, but may have been untouched in months if not years. As part of his 'departure plan' he uploaded all of the old data*, including that 'silly extra step' of encrypting his old thumb drive. However, that transaction was logged as an upload to the encrypted drive and at least one of those file names was later flagged as containing 'Personally Identifiable Information'. The thumb drive might not have even left the office, but clearly wasn't accounted for on his exit.
Not every blunder deserves handcuffs.
The force that blew the Big Bang continues to accelerate.
Not every blunder deserves handcuffs.
#Hillary2016 :p
(sorry, had to)