As the insurer for deposits at most of the nation’s banks, the Federal Deposit Insurance Corp. collects a large amount of personally identifying information on bank customers. As such, the FDIC is a target for hackers, who hit it with 54 suspected or confirmed data breaches discovered between Jan. 1, 2015, and Dec. 1 of last year, a report from the FDIC’s Office of the Inspector General (OIG) says.
The report, issued Sept. 29, is the result of an OIG audit of the FDIC’s handling of 18 of the breaches. Those breaches potentially affected more than 113,000 individuals. The OIG did the audit after the Senate Banking Committee expressed concerns about the FDIC’s security in the wake of a series of data breaches the agency reported in late 2015 and early 2016.
Although the FDIC had a data-breach response plan in place at the time of the breaches, the OIG criticizes the agency for not completing important breach-investigation activities and not tracking its response metrics, notifying affected bank customers in only five of the 18 breaches, and not documenting key assessments and decisions.
In the five instances where the FDIC did notify customers that their personal information was hacked, the report notes that the agency took an average of 288 days, or more than nine months, from the date it discovered the breaches until it began sending notifications.
The OIG said its report “contains seven recommendations … that are intended to promote more timely breach-response activities and strengthen controls for evaluating the risk of harm to individuals potentially affected by a breach, and notifying and providing services to those individuals, when appropriate.”
FDIC executives provided written responses to the OIG audit, which are included in the report. “FDIC management concurred with our recommendations and described planned and completed actions to address the recommendations,” the report says. “The FDIC expects to complete all corrective actions by Sept. 30, 2018.”
The report does not go into detail about what types of personal information were stolen in the individual breaches, but it notes that the information could have included names, telephone numbers, home addresses, Social Security numbers, driver’s license numbers, dates and places of birth, credit reports, education and employment histories, and the results of background checks. Any credit-report information might have included credit card data.