The U.S. Federal Deposit Insurance Corporation (FDIC) in the last two years may have suffered as many as 54 data breaches involving personally identifiable information (PII), revealed a report from the FDIC Office of Inspector General (OIG).
Created in response to the thousands of bank failures in the 1920s and 1930s, the FDIC is an independent agency that provides insurance to depositors. The standard insurance amount is $250,000 per depositor, per insured bank.
The report, made public last week, focuses on the FDIC’s processes for responding to data breaches, and it’s based on an audit conducted in response to concerns raised by the chairman of the Senate Committee on Banking, Housing, and Urban Affairs.
The OIG’s audit focused on 18 of 54 suspected or confirmed breaches discovered by FDIC between January 1, 2015 and December 1, 2016. The 18 incidents reviewed by auditors affected more than 113,000 individuals.
The audit found that in 13 of the 18 cases the FDIC did not complete some key breach investigation activities, such as assessing impact and convening the data breach management team, within the timeframe established in the agency’s Data Breach Handling Guide (DBHG).
It took the organization, on average, more than 9 months to notify affected individuals after discovering a breach. It took between 145 days and 215 days to send out notifications to impacted people after the decision was made to notify victims. In one incident that affected nearly 34,000 people, the FDIC sent out the notifications exactly one year after the breach was discovered.
The failure to notify affected individuals and investigate the breaches in a timely manner was due to the lack of an incident response coordinator, the failure to provide adequate training to information security managers, and insufficient privacy staff for managing incident response activities, the OIG said in its report.
The audit also found that the FDIC failed to adequately document key assessments and decisions; failed to clearly define the purpose, scope, governance structure and key operating procedures of its data breach management team; and it did not track and report key breach response metrics.
A report published last year by the House of Representatives Science, Space and Technology Committee revealed that threat actors believed to be from China breached the systems of the FDIC in 2010, 2011 and 2013, and planted malware on a significant number of servers and workstations. The committee concluded that the agency’s CIO had attempted to cover up the incident.
Related: DHS Used Outdated, Unpatched Systems