[BreachExchange] FDIC hit by 50+ breaches in a two year period

[Audrey McNeil]

http://www.techrepublic.com/article/fdic-hit-by-50-
breaches-in-a-two-year-period/


Over the course of two years, the Federal Deposit Insurance Corporation
(FDIC) could have experienced as many as 54 data breaches, according to a
recent report from the Office of the Inspector General. The breaches
occurred between 2015 and 2016, and could have compromised personally
identifiable information (PII) data, the report said.

According to the report, 113,000 individuals could have been affected by
the breaches and potentially had their PII compromised. For those
unfamiliar, PII data can include name, telephone numbers, social security
numbers, addresses, birthday, education, credit reports and more.

The purpose of the report was to evaluate how the FDIC—which insures bank
deposits and supervises financial institutions, among other
things—investigated and responded to the breaches. The report itself was
built on investigations of 18 of the alleged breaches.

One of the most striking findings was how the FDIC handled notifying the
potential victims of their breaches. Of the 18 cases reviewed in the
report, the FDIC only contacted victims related to five of the incidents.
Additionally, it took an average of 288 days—or more than 9 months—from the
date the breach was discovered to the date that the FDIC notified affected
individuals.

The time between the discovery of a breach and notification is critical. As
the report noted, "the longer it takes to complete breach investigation
activities and notify potentially affected individuals, the greater the
risk of harm that may come to individuals because they cannot quickly take
proactive actions to protect themselves."

And these breaches weren't small or inconsequential. Six of the breaches
reviewed for the report were considered "major incidents," described in the
report as "An incident that is likely to result in demonstrable harm to the
national security interests, foreign relations, or economy of the United
States or to the public confidence, civil liberties, or public health and
safety of the American people."

So, what went wrong? The report noted that the FDIC does have a formal plan
in place for responding to breaches, but that it wasn't adequately
implemented. The organization lacked key staff like an Incident Response
Coordinator, didn't properly document decisions, did not track and report
its key breach response metrics, and lacked proper control over its Data
Breach Management Team, the report said.

The FDIC has since increased its resources for incident response and come
up with a new response plan. However, financial institutions and banks that
could have been affected should contact their FDIC liaison to determine
potential impact.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171006/1877e1e8/attachment.html>