Over the past year, the FDIC has discovered a handful of separate but similar incidents involving FDIC employees who downloaded sensitive information to portable electronic storage devices and took the devices with them when they left FDIC employment. The storage devices contained electronic files with information about customers of certain financial institutions. Some of the files contained personal information, such as name, home address, Social Security Number (SSN)/ Tax Identification Number (TIN), and bank account information. The former FDIC employees had this information while employed by the FDIC but should not have taken it when they left.
The FDIC has reviewed these incidents and found no evidence to suggest that anyone has misused the information. As a precaution, the FDIC is notifying affected individuals so they make take precautions. We apologize for the inconvenience these incidents have caused individuals whose information was included. Also, since discovering these incidents, the FDIC has taken steps to strengthen its security controls to prevent this type of incident from recurring.
- Why did the FDIC have my information?
The FDIC is an independent agency of the U.S. government that insures deposits placed in banks and savings associations. The FDIC is also responsible for examining and supervising certain financial institutions, which includes reviews of bank account and loan files available at those institutions. Some of the files contained personal information, such as name, home address, Social Security Number (SSN)/ Tax Identification Number (TIN), and bank account information.
What type of information was included on the portable electronic storage devices?
The portable electronic storage devices included electronic files pertaining to certain financial institutions. Depending on the incident, some of the files contained personal information, such as name, home address, Social Security Number (SSN)/ Tax Identification Number (TIN), and bank account information.
What steps did the FDIC take to recover the data from the former employees?
Upon detecting the incidents, the FDIC took immediate steps to recover the data from the former employees. In addition to reviewing the incidents, the FDIC obtained a statement from each former employee in which they attested that they did not disseminate or compromise any of the information. Additional information regarding the incident in which your personal data was involved is contained within your letter.
How did the FDIC discover the incident?
The FDIC's Data Loss Prevention (DLP) tool identified the data downloads, which triggered our review of the incidents. The FDIC's DLP tool is a software product designed to detect where sensitive FDIC data is being stored, shared, downloaded, or distributed across endpoints, websites, networks, and storage systems.
We continually look for ways to enhance security at the FDIC, and the DLP tool has provided us an additional means to identify possible data loss and protect sensitive information.
- I have never had any dealings with the bank indicated in the letter I received. Why did you send me this letter?
It's possible that you may have applied for a loan with the bank but were either denied or had your application withdrawn. Or, you may also have applied to be a co-signer or co-borrower. In these instances, the bank would have requested or obtained personal information from you.
- Do you know whether identity theft has occurred?
At this time, we have no indications that anyone has misused the downloaded files or used any of your personal data for any purpose that would put your identity at risk. As a precaution, the FDIC is notifying individuals whose information was included, so they may take steps to protect themselves. These steps are described at this link and immediately below.
- How can I protect myself from misuse of my personal information?
To protect your identity and credit information, the FDIC is offering to provide you with two years of Identity and Credit monitoring services, as well as identity theft insurance and identity restoration services, at no cost to you, through IdentityForce, a provider of identity, privacy, and credit monitoring solutions. Instructions for signing up for IdentityForce services are on the Sign Up For Free Services page. Please enroll by February 28, 2017.
You can take other important steps to protect yourself. We encourage you to report any actual incident of identity theft to the Federal Trade Commission (FTC) at www.identitytheft.gov. Visit ftc.gov/idtheft for additional prevention tips and free resources.
We also encourage you to review your account statements carefully and report any suspicious activity to the institution issuing them. We recommend that you periodically review your credit reports, and if you discover information related to any fraudulent activity, ask the three credit reporting agencies to delete the information. If you do find suspicious activity on your credit reports, call your local police or sheriff's office and file a report of identity theft.
- Will placing a fraud security alert affect my credit rating?
Placing a fraud security alert will not affect your credit rating, but it may cause a delay in credit applications. If you are considering a fraud alert, you should consult with the credit reporting company on what impact an alert might have.
If I believe that my information has been misused, what can I do?
Please follow the steps outlined in the attachment to the letter you received. This will include following the instructions regarding identity theft from the FTC, potentially contacting your local law enforcement office to file a report of identity theft, and notifying the credit reporting agencies. If you sign up for the free services offered through IdentityForce, you may contact IdentityForce and take advantage of its team of Identity Restoration Specialists.We encourage you to report any actual incident of identity theft to the FTC at www.identitytheft.gov. Visit ftc.gov/idtheft for additional prevention tips and free resources.
- Do I need to contact the credit reporting agencies?
The FDIC has arranged for IdentityForce (a provider of identity, privacy, and credit monitoring solutions) to provide you two years of identity and credit monitoring services, as well as identity theft insurance and restoration services, at no cost to you. The letter you received from the FDIC contained a 10-digit PIN code that you will need to sign up for services with the provider.
We encourage you to take advantage of this no-cost opportunity to monitor your personal data. If you wish to take advantage of this service, enrollment instructions are included in the notification letter. Please enroll by February 28, 2017.
Federal legislation grants all consumers the ability to obtain a credit report every year, free of charge, from each of the three credit reporting agencies. The three agencies have set up a central website (www.annualcreditreport.com) and a central toll-free telephone number (1-877-322-8228) to help consumers request the report.
Even though we have no reason to think that your information was misused, we encourage you to check your account statements and balances diligently over the next 24 months for unauthorized or suspicious transactions.We encourage you to report any actual incident of identity theft to the FTC at www.identitytheft.gov. Visit ftc.gov/idtheft for additional prevention tips and free resources.
- What is the contact information for the three credit reporting agencies?
The contact information for the credit reporting agencies is as follows:
- Can this happen again?
The FDIC has taken steps to strengthen its security controls to prevent this type of incident from recurring, including implementing a technical solution that prevents employees from downloading data to portable storage devices or other removable media.
- I received the notification on behalf of a deceased relative; what should I do?
First, please know that we are sorry for the additional inconvenience this may place on you and your family during a difficult time.
The FDIC has reviewed these incidents and found no evidence to suggest that anyone has misused the information. However, as a precaution, the FDIC is notifying affected individuals so that they make take steps to protect themselves
To protect against potential misuse, the deceased individual’s information may also be enrolled in the identity theft protection services at the IdentityForce website using the PIN code in the notification letter. Other personal information about the deceased, including the last four digits of the individual’s Social Security number, will be necessary to enroll.
- Send the IRS a copy of the death certificate, which is used to flag the account to reflect that the person is deceased.
- Send copies of the death certificate to each credit reporting bureau asking them to put a “deceased alert” on the deceased’s credit report. The addresses are: Experian, P.O. Box 4500, Allen, TX 75013; Equifax Information Services LLC Office of Consumer Affairs, P.O. Box 105139, Atlanta, GA 30348; and TransUnion LLC, P.O. Box 2000, Chester, PA 19022.
- Review the deceased’s credit report for questionable credit card activity.
Visit ftc.gov/idtheft for additional prevention tips and free resources.
When I called the credit reporting agency (Experian/TransUnion/Equifax), they asked for my Social Security Number/Taxpayer Identification Number. Is it okay to give it to them?
Yes. The credit reporting agencies ask for your Social Security Number (or Taxpayer ID Number) and other personal information to identify you and avoid sending your credit report to the wrong person. It is okay to give this information to the credit reporting agency that you call. However, you should be vigilant in releasing your personal information to any third party.How do I know that this is not a scam?
You can verify the information about IdentityForce and the provision of credit monitoring services by emailing CreditMonitoring@fdic.gov or by calling IdentityForce directly at 844-866-3650. Neither IdentityForce nor the FDIC will ask you for payment. The FDIC is offering to provide Identity and Credit protection services, through IdentityForce, free of charge for two years. You will not be charged for these services.
How will IdentityForce authenticate/verify my identity?
Once you enter your PIN code at fdic.identityforce.com/pinvalidation you will be directed to the IdentityForce enrollment page, where you will be prompted to enter personal information including your name, address, telephone number, social security number and date of birth. This information is required in order for you to gain access to your credit report and credit monitoring services. In the final step, you will be asked several multiple choice “authentication questions,” based upon information contained within your credit report.Is there a telephone number I can call or an email address I can use to get more information?
You may call IdentityForce toll free at 844-866-3650 or send an email to CreditMonitoring@FDIC.gov.