As detailed in this American Banker article, an FDIC employee who was leaving the agency copied over 40,000 records with PII onto a portable drive.  Although technically a data breach, the intent was apparently innocuous as the employee was copying various personal photos and other files (which probably shouldn’t be on an FDIC work computer) on her last day of work.

The good news is the FDIC’s internal monitoring identified the breach and the data was recovered with full cooperation from the individual.  The bad news is that the FDIC apparently lacked internal controls that prevent the copying of data onto a portable storage device, or even a policy preventing employees from doing so.  There are plenty of technologies that can prevent this and they are in wide use in the private sector.  The fact that the FDIC lacks these basic controls is alarming.

Some common sense lessons from this event:  Employees should be systematically prevented from copying data onto portable storage devices (or to any outside cloud-based storage platform which is not under the organization’s control), and organization policies should prohibit any personal files or data from being stored on work computers.

There is rarely such a thing as a small data breach.