Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

U.S. Banking Regulator Hit by 54 Breaches in 2015, 2016

The U.S. Federal Deposit Insurance Corporation (FDIC) in the last two years may have suffered as many as 54 data breaches involving personally identifiable information (PII), revealed a report from the FDIC Office of Inspector General (OIG).

The U.S. Federal Deposit Insurance Corporation (FDIC) in the last two years may have suffered as many as 54 data breaches involving personally identifiable information (PII), revealed a report from the FDIC Office of Inspector General (OIG).

Created in response to the thousands of bank failures in the 1920s and 1930s, the FDIC is an independent agency that provides insurance to depositors. The standard insurance amount is $250,000 per depositor, per insured bank.

The report, made public last week, focuses on the FDIC’s processes for responding to data breaches, and it’s based on an audit conducted in response to concerns raised by the chairman of the Senate Committee on Banking, Housing, and Urban Affairs.

The OIG’s audit focused on 18 of 54 suspected or confirmed breaches discovered by FDIC between January 1, 2015 and December 1, 2016. The 18 incidents reviewed by auditors affected more than 113,000 individuals.

The audit found that in 13 of the 18 cases the FDIC did not complete some key breach investigation activities, such as assessing impact and convening the data breach management team, within the timeframe established in the agency’s Data Breach Handling Guide (DBHG).

It took the organization, on average, more than 9 months to notify affected individuals after discovering a breach. It took between 145 days and 215 days to send out notifications to impacted people after the decision was made to notify victims. In one incident that affected nearly 34,000 people, the FDIC sent out the notifications exactly one year after the breach was discovered.

The failure to notify affected individuals and investigate the breaches in a timely manner was due to the lack of an incident response coordinator, the failure to provide adequate training to information security managers, and insufficient privacy staff for managing incident response activities, the OIG said in its report.

The audit also found that the FDIC failed to adequately document key assessments and decisions; failed to clearly define the purpose, scope, governance structure and key operating procedures of its data breach management team; and it did not track and report key breach response metrics.

A report published last year by the House of Representatives Science, Space and Technology Committee revealed that threat actors believed to be from China breached the systems of the FDIC in 2010, 2011 and 2013, and planted malware on a significant number of servers and workstations. The committee concluded that the agency’s CIO had attempted to cover up the incident.

Related: Sensitive FDA Systems at Risk of Cyberattacks

Related: DHS Used Outdated, Unpatched Systems

Related: Nuclear Agency’s Cybersecurity Center Not Optimized

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.