The Office of Inspector General (OIG) for the Export-Import Bank of the United States (EXIM) discovered that the agency did not properly protect personally identifiable information (PII) stored on a shared network drive, in an incident the OIG is calling a “potential breach.”
According to a Jan. 2 OIG report, EXIM Bank – the official export credit agency of the United States – stored multiple files that contained “protected or restricted information” on a shared network drive made available to all agency IT systems users.
“OIG is informing EXIM of this incident – and potential breach – because it risks unauthorized disclosure or unauthorized access to sensitive information, including information EXIM is obligated to protect under the Privacy Act of 1974 (Privacy Act),” the report says.
Specifically, the OIG explained that it identified documents such as reimbursement forms, employee evaluations and ratings, employee performance improvement plans, and job applicant assessments and ratings, among other documents that could contain PII.
In some instances, the OIG said it found documents that included the name, address, and social security number of the individual involved. Additionally, the OIG found documents that reference “ongoing litigation or potentially law enforcement sensitive information.”
“OIG recognizes that EXIM operations may benefit from using a shared network drive to allow users to work collaboratively,” the report reads. “However, having a shared network drive adds risk that users may inappropriately or inadvertently save or store protected or restricted-access PII and/or other restricted documentation.”
Additionally, the OIG emphasized that EXIM Bank is required under the Privacy Act to only disclose records to authorized personnel. This includes keeping electronic records in password-protected systems, ensuring only individuals with a need to know have access.
The OIG issued four recommendations to EXIM Bank, including that the Office of Information Management and Technology should “immediately restrict access to documents containing Privacy Act information” or other documents containing PII stored on EXIM Bank’s IT systems.
It is also recommending that the senior agency official for privacy, in coordination with the Office of General Counsel, “should assess within the Office of Management and Budget guidance whether there is a requirement to report the incident, and potential breach, and determine if any of the files were inappropriately accessed by individuals without a need to know.”
The third recommendation tasks the chief information officer and the chief information security officer to develop a report regarding the circumstances that led to the incident – and potential breach – and the lessons learned that will prevent future incidents.
Finally, the OIG is recommending that the Office of Information Management and Technology implement any changes or lessons learned identified in the incident report, including policy changes or updated security training.
EXIM Bank agreed with all four recommendations and thanked the OIG for alerting it to the potential breach.
