Content, Governance, Risk and Compliance, Breach

Watch Your Back: FDIC Admits 50+ Data Breaches of Personal Info in 2015, 2016

The Federal Deposit Insurance Corp. (FDIC), the government entity that not only insures your bank deposits but also collects your personally identifiable information (PII), was victimized by more than 50 security breaches in 2015 and 2016. But that's not the really bad news: Its substandard security processes and tardy notifications made the break-ins worse, a new report concluded.

An audit by the Office of Inspector General (OIG) issued last month was critical of the FDIC’s sluggish responses to 54 attacks during that two-year period. Crooks may have pilfered sensitive PII data--names, telephone numbers, home addresses, social security numbers, driver’s license numbers, dates and places of birth, credit reports, education and employment histories, and the results of background checks--belonging to hundreds of thousands of people, the report said.

As if that weren't alarming enough, the FDIC kept the heists to themselves for a good while. On average, it waited more than nine months to inform people whose confidential information may have been hijacked in the breaches, according to the OIG audit. Apparently, the Chairman of the Senate Committee on Banking, Housing and Urban Affairs grew concerned over the data breaches, prompting the audit.

“The objective of this audit was to assess the adequacy of the FDIC’s processes for (1) evaluating the risk of harm to individuals potentially affected by a breach involving PII and (2) notifying and providing services to those individuals, when appropriate,” the report said. The OIG said it examined the “FDIC’s handling of 18 of 54 suspected or confirmed breaches involving PII that the FDIC discovered during the period January 1, 2015 through December 1, 2016.” (FYI, six of the 18 reviewed were considered “major incidents.”)

Last April, the FDIC developed what it called at the time the Data Breach Handling Guide (DBHG), later renamed the Breach Response Plan, outlining formal processes for responding to data breaches. “The implementation of these processes was not adequate,” the report said. Here’s where the the FDIC failed:

  • Did a bad job of investigating the breach and notifying affected individuals in a timely way
  • Didn’t adequately document key assessments and decisions
  • Didn’t strengthen controls over the data breach management team (DBMT)
  • Didn’t track and report key breach response metrics

While nodding to the FDIC’s efforts to strengthen its breach response activities, the OIG concluded there’s more that needs to be done and offered seven recommendations:

  • Require the FDIC to explain its rationale, in written form, justifying the overall impact levels assigned to breaches
  • Establish a charter or similar mechanism for the DBMT that defines its purpose, scope, responsibilities, membership, governance structure and operations
  • Develop and implement a process for briefing the DBMT on the final findings of breach investigations and the actions taken in response to DBMT recommendations to resolve breach events
  • Provide specialized training for DBMT members that includes tabletop exercises to ensure they fully understand and consistently implement their roles and responsibilities
  • Establish, track, and report metrics to assess the performance of breach response activities
  • Coordinate with the FDIC chairman to update the Chief Privacy Officer’s designation to reflect organizational changes made since 2005

In a written response dated September 25, 2017, the FDIC agreed with the recommendations and pledged to complete the fixes by September 30, 2018.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.