7/9/13: Today, the SEC sent out notices to SEC employees informing them about a data breach involving their personally identifiable information (PII), including the names, dates of birth and social security numbers of individuals who worked for the SEC prior to October 2009. The Union has requested a briefing on this issue, and has also requested that the agency provide one year of credit monitoring services to all affected employees who request it.
What we have been told so far is that this breach occurred in 2009, when a former SEC employee, who had access to employee lists with PII as part of his or her job at the agency, downloaded such a list along with a number of other files on a thumb drive before leaving the agency for a new job at another federal agency. This apparently occurred prior to the SEC's current rules prohibiting the downloading of files to an unencrypted thumb drive. We have been told that this was inadvertent, and that an internal investigation at the other federal agency indicates that nobody accessed the information.
Nevertheless, the Union is requesting further and more detailed information about this incident. Furthermore, in light of the fact that the breach involves both social security numbers and dates of birth, linked to employees' names, the potential for identity theft is obviously heightened. For that reason we are seeking credit monitoring services.
The need to protect credit ratings is particularly acute at the SEC, because the SEC routinely monitors employees' credit ratings as part of background checks at the agency by security contractors. Employees who have credit problems have received notifications from these contractors stating that their jobs could be terminated due to issues with their credit.
This is, unfortunately, not the first time that the SEC has suffered from a security lapse with respect to employees' PII. In late 2011, the SEC reported a large security breach in connection with the SEC's "Ethics Program System" for ethics compliance and conflicts checks. At that time, the Union demanded and obtained credit monitoring services for affected employees.
"Even if the risk of actual theft of the information is relatively low in a particular case, monitoring services should be provided where the exposed information has such a high potential for damage to individuals," NTEU Chapter 293 President Greg Gilman stated this morning. "Due to the fact that both social security numbers and dates of birth were exposed to potential mischief, the Union believes that the SEC should take all reasonable actions to protect its employees, including the provision of credit monitoring services for one year."
We will update you when we have further information.