[ISN] Identity theft of FDIC employees leads to bank fraud, union says

From: InfoSec News (isn@private)
Date: Sun Jun 19 2005 - 23:32:55 PDT


http://www.govexec.com/dailyfed/0605/061705p1.htm

By Daniel Pulliam
dpulliam @ govexec.com 
June 17, 2005 

Personal data including Social Security numbers on nearly 6,000
current and former Federal Deposit Insurance Corporation employees was
stolen early last year, and some of the data has been used for
fraudulent purposes.

A June 10 letter [1] from the director of the agency's administration
division states that the "unauthorized released" of the information
included data on all FDIC employees that were in an official pay
status since July 2002. There are about 5,200 current workers. The
stolen data included names, birthdays, salaries, Social Security
numbers and length of service information. The FBI and the agency's
Office of Inspector General are investigating the theft.

In a few of those cases, the letter states, "this information is known
to have been used to obtain fraudulent loans from a credit union."

An FDIC spokeswoman said that the agency first found out about the
stolen data on March 30 when the agency's inspector general notified
the agency that former FDIC employees were victims of apparent fraud.  
The next day, employees affected by the fraud were notified and it was
not until June 9 that the extent of the stolen data was discovered.

An FBI spokesman declined to comment on the investigation.

The letter does not explain why it took so long for the agency to
notify the employees or how the data was stolen other than it was a
"security breach involving unauthorized access to personal information
on a large number of current and former FDIC employees." According to
the National Treasury Employees Union, which represents nearly 5,000
FDIC employees, at least 28 cases of identity theft have occurred,
including loans taken out under the employees' names at a government
credit union.

The letter states that the loss of data was not the result of a
failure of the agency's cybersecurity programs and that the agency is
taking steps to make sure this does not happen again.

In May, the Government Accountability Office released a report [2]
stating that while FDIC had improved weaknesses in its cybersecurity
controls, it had yet to establish a comprehensive security management
program.  In previous audits of the agency's cybersecurity standards,
GAO found the agency severely deficient.

According to an FDIC source, the data was culled from a stolen paper
copy of the employee information and no electronic hacking occurred.

In the letter, Arleas Upton Kea, the administration division director,
encouraged all employees potentially affected by the security breach
to obtain full credit reports from the three major credit bureaus.

"You should remain vigilant over the next 12 to 24 months and promptly
report incidents of suspected identity theft to the local police and
the credit bureaus," Kea wrote.

Though recent federal law allows people to get free annual credit
reports, the law will not be implemented in the District of Columbia
and in Mid-Atlantic and Northeastern states until Sept. 1, though some
states in those regions have laws allowing for the free credit report.

To cover the cost - estimated by the FDIC at about $30 - employees are
told to submit a petty cash claim to the agency.

On Thursday, NTEU President Colleen M. Kelley forwarded a letter [3]
to FDIC's human resources associate director Miguel Torrado, asking
the agency to obtain or pay for credit monitoring services from all
three credit bureaus for the affected employees for at least a year.
Kelley also asked the agency to give the employees and credit bureaus
investigative reports so fraud alerts can be kept on their accounts
for at least a year.

"We expect the FDIC to do everything it can to help the impacted
employees, including hiring a credit monitoring service and identity
theft resolution company," Kelley said in a statement.

This is the third known case announced this year of federal workers'
personal data either being lost or stolen.

Last month, travel credit card data [4] for about 80,000 Justice
Department employees stored in a laptop was stolen from a travel
agency's Fairfax, Va., office.

Earlier this year, charge card data [5] for nearly 1.2 million federal
employees, including some senators, went missing while Bank of America
was shipping the data to a secure location.

In both cases, no information has been released as to what happened to
the data.

[1] http://www.govexec.com/pdfs/nteuemployeeletter.doc
[2] http://www.gao.gov/new.items/d04630.pdf
[3] http://www.govexec.com/pdfs/nteufdicletter.pdf
[4] http://www.govexec.com/dailyfed/0605/060305lb.htm
[5] http://www.govexec.com/dailyfed/0205/022805p2.htm



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Mon Jun 20 2005 - 00:02:19 PDT