Seven employees of the Federal Deposit Insurance Corporation (FDIC) have left the agency with the personal banking information of about 160,000 U.S. residents over the last seven months.
The FDIC CIO Lawrence Gross Jr. told a congressional oversight subcommittee Thursday that he believed the data breaches were "inadvertent."
Over the last seven months, the departing employees reportedly took the data on thumb drives and other removable media.
Gross told members of the House of Representatives Science, Space, and Technology Committee that the employees likely took the data on accident as they were copying personal data onto removable media.
However, at least one of the former employees is under criminal investigation, according to Fred Gibson, the FDIC's acting inspector general.
Lawmakers did not go easy on Gross, who did not classify the incidents as theft because the former employees signed affidavits saying they didn't share the data. Gross also did not report the incidents until pressed to do so by the inspector general’s office.
"Mr. Gross, you and I are viewing this incident from a completely different perspective," said Representative Bill Posey, R-Fla. You "call it a data breach. Where I'm from, we call it a theft if you take something that's not yours."
This isn’t the first time the FDIC has had cybersecurity issues. In 2011 a foreign government hacked into the computers of senior officials at the agency. The incident went undetected for more than a year, according to CIO. Members of the congressional subcommittee also questioned why departing employees were allowed to remove any data from the agency.
Removable media can provide an easy way for data to "walk away" from an organization. CIOs should ensure they have clear policies about what data can and cannot be removed by employees, as sensitive data (such as bank account information) can cause huge issues in the wrong hands.