(In 11th paragraph, corrects name to Eddie Bernice Johnson from
Bill Johnson)
WASHINGTON May 12 Members of Congress on
Thursday grilled the main U.S. banking regulator about a recent
raft of data breaches, highlighting two incidents where workers
downloaded more than 10,000 sensitive and private records onto
portable storage devices before leaving the agency's employ.
After the Federal Deposit Insurance Corp uncovered those two
breaches, it conducted a review and found five other instances
when employees improperly stored and took personal information
for tens of thousands of individuals, according to
Representative Barry Loudermilk, a Republican who chairs a House
of Representatives subcommittee on oversight and technology.
Altogether, more than 160,000 people were affected,
Loudermilk said at a hearing covering the breaches.
"To date, FDIC has failed to notify any of those individuals
that their private information may have been compromised," he
added.
The highest-ranking Democrat on the subcommittee,
Representative Don Beyer, said the concerns were shared by
members of both parties and added the FDIC was too slow in
notifying Congress about the breaks in data security. It should
have informed lawmakers within seven days of the incidents, he
said.
The FDIC's chief information officer and chief privacy
officer, Lawrence Gross, told the hearing the agency is working
to eliminate employees' use of portable media and has installed
technology blocking most employees from downloading data from
its systems to DVDs, CDs and flash drives.
It is also looking into "digital rights management" software
limiting the time period someone can access information and
putting up other barriers to redistributing information.
Gross, who started his role in November, said he is
conducting a "top to bottom review" of the agency's information
technology policies and planned to hire an independent third
party to conduct an assessment.
The FDIC has said the downloads were inadvertent.
But members of Congress remained skeptical that the breaches
were not intentional.
"In at least one case...a former employee who downloaded
such data was evasive about her actions and not cooperative when
initially confronted," said Representative Eddie Bernice
Johnson.
"Some FDIC employees also suggest that it was highly
improbable that this former employee's actions were accidental.
In addition this former employee is now working for a U.S.
subsidiary of a non-U.S. financial services company which raises
additional concerns."
(Reporting by Lisa Lambert; Editing by Cynthia Osterman)