Audit finds federal insurance group’s data management practices ‘inadequate’

The US Federal Deposit Insurance Corporation (FDIC) was subject to 54 data breaches between January 2015 and December 2016, according to an audit conducted by the Office of Inspector General (OIG).

The FDIC was founded in 1933 with the aim of restoring trust in the American banking system after the Great Depression. However, this latest audit has called the group to question, after a plethora of security failures was found to have put the personal data of hundreds of thousands of people at risk.

The inspector general’s office initiated its investigation in response to concerns raised by the Chairman of the Senate Committee on Banking, Housing, and Urban Affairs regarding a series of data breaches reported by the FDIC in late 2015 and early 2016.

Taking a sample of 18 cases (out of a total 54), the auditors found widespread failings in the FDIC’s protocols for responding to a data breach. Security oversights in these 18 cases alone put the personally identifiable information (PII) of more than 113,000 people in jeopardy, the report states.

“Such PII includes, for example, names, telephone numbers, home addresses, social security numbers, driver’s license numbers, dates and places of birth, credit reports, education and employment histories, and the results of background checks,” the OIG said.

According to the report, the FDIC’s Breach Response Plan outlined the group’s aims to provide notification to affected individuals within 10 business days of completing the analysis of breach data, in order to allow those individuals to take proactive steps to protect themselves.

“The implementation of these processes was not adequate,” the report stated. “The FDIC did not complete key breach investigation activities within the timeframes established in the [Breach Response Plan] for 13 of 18 suspected or confirmed breaches that we reviewed.

“In addition, the FDIC did not notify potentially affected individuals in a timely manner for the incidents we reviewed. Specifically, it took an average of 288 days – more than nine months – from the date the FDIC discovered the breaches to the date that the corporation began to notify individuals.”

Among the litany of identified failings, the inspector general’s office said the FDIC did not adequately document key assessments and decisions relating to data breaches, did not track and report key breach response metrics, and left employment positions relating to the handling of cybersecurity issues vacant or staffed by inadequately trained individuals.

“Implementing proper controls to safeguard this information and respond to breaches when they occur is critical to maintaining stability and public confidence in the nation’s financial system and protecting consumers from financial harm,” the auditors said.

The OIG report recommended seven corrective actions, including better funding and resource allocation, better and more thorough documentation practices, a charter to guide its data breach management team, and the establishment of metrics to assess employee and agency performance in the event of a breach.

The FDIC agreed with all of the recommendations and told auditors it expects to complete corrective actions by September 30, 2018.