The Federal Deposit Insurance Corporation believes it may have suffered more than 50 data breaches between Jan. 1, 2015 and Dec. 1, 2016. Many of the breaches involved personally identifiable information, which could include: names, phone numbers, home addresses, social security numbers, driver’s license numbers, birthdates and places of birth, credit reports, education/employment histories, and background check results.
The Office of the Inspector General recently released a report on the dozens of data breaches during the two-year period — the office initiated an audit based on the FDIC self-reporting a series of breaches during that same period. More than 113,000 people may have been affected by the breaches.
The FDIC is an independent federal government agency charged with insuring deposits to banks up to $250,000, and identifying, monitoring, and addressing risks to those funds. While the FDIC does have protocols for evaluating risk and informing individuals of data breaches, the Office of the Inspector General found those processes were “not adequate.”
According to the report, the FDIC did not “notify potentially affected individuals in a timely manner.” On average, it took the FDIC 288 days — more than 9 months — to notify individuals after discovering a breach. The report gives a number of reasons for the delayed notifications, including inadequate training and poor use of personnel.
Although the FDIC has taken steps to improve its response to breaches, the report notes that “further control improvements are needed.” The FDIC accepted the Inspector General’s recommendations and the agency “expects to complete all corrective actions by September 30, 2018,” which is still almost a year away.
Though this recent report now makes it clearly obvious, it’s been known that the FDIC has been plagued by data breaches in recent years. Last April, a simple mistake caused an FDIC data breach of 44,000 people, though an investigation determined none of the information in that specific case was leaked further (via The Washington Post).
(H/T The Hill)