Personal data including Social Security numbers on nearly 6,000 current and former Federal Deposit Insurance Corporation employees was stolen early last year, and some of the data has been used for fraudulent purposes.
A June 10 letter from the director of the agency's administration division states that the "unauthorized release" of the information included data on all FDIC employees that were in an official pay status since July 2002. There are about 5,200 current workers. The stolen data included names, birthdays, salaries, Social Security numbers and length of service information. The FBI and the agency's Office of Inspector General are investigating the theft.
In a few of those cases, the letter states, "this information is known to have been used to obtain fraudulent loans from a credit union."
An FDIC spokeswoman said that the agency first found out about the stolen data on March 30 when the agency's inspector general notified the agency that former FDIC employees were victims of apparent fraud. The next day, employees affected by the fraud were notified and it was not until June 9 that the extent of the stolen data was discovered.
An FBI spokesman declined to comment on the investigation.
The letter does not explain why it took so long for the agency to notify the employees or how the data was stolen other than it was a "security breach involving unauthorized access to personal information on a large number of current and former FDIC employees." According to the National Treasury Employees Union, which represents nearly 5,000 FDIC employees, at least 28 cases of identity theft have occurred, including loans taken out under the employees' names at a government credit union.
The letter states that the loss of data was not the result of a failure of the agency's cybersecurity programs and that the agency is taking steps to make sure this does not happen again.
In May, the Government Accountability Office released a report stating that while FDIC had improved weaknesses in its cybersecurity controls, it had yet to establish a comprehensive security management program. In previous audits of the agency's cybersecurity standards, GAO found the agency severely deficient.
According to an FDIC source, the data was culled from a stolen paper copy of the employee information and no electronic hacking occurred.
In the letter, Arleas Upton Kea, the administration division director, encouraged all employees potentially affected by the security breach to obtain full credit reports from the three major credit bureaus.
"You should remain vigilant over the next 12 to 24 months and promptly report incidents of suspected identity theft to the local police and the credit bureaus," Kea wrote.
Though recent federal law allows people to get free annual credit reports, the law will not be implemented in the District of Columbia and in Mid-Atlantic and Northeastern states until Sept. 1, though some states in those regions have laws allowing for the free credit report.
To cover the cost - estimated by the FDIC at about $30 - employees are told to submit a petty cash claim to the agency.
On Thursday, NTEU President Colleen M. Kelley forwarded a letter to FDIC's human resources associate director Miguel Torrado, asking the agency to obtain or pay for credit monitoring services from all three credit bureaus for the affected employees for at least a year. Kelley also asked the agency to give the employees and credit bureaus investigative reports so fraud alerts can be kept on their accounts for at least a year.
"We expect the FDIC to do everything it can to help the impacted employees, including hiring a credit monitoring service and identity theft resolution company," Kelley said in a statement.
This is the third known case announced this year of federal workers' personal data either being lost or stolen.
Last month, travel credit card data for about 80,000 Justice Department employees stored in a laptop was stolen from a travel agency's Fairfax, Va., office.
Earlier this year, charge card data for nearly 1.2 million federal employees, including some senators, went missing while Bank of America was shipping the data to a secure location.
In both cases, no information has been released as to what happened to the data.