- The Federal Deposit Insurance Corporation (FDIC) suffered more than 50 data breaches between January 2015 and December 2016, according to a report conducted by the Office of Inspector General (OIG). The OIG reviewed 18 of the 54 suspected breaches that jeopardized personally identifiable information (PII) of U.S. citizens.
- The FDIC houses troves of PII, including social security numbers, driver's license numbers and home addresses. The report found the FDIC did not perform impact assessments or communicate with the Data Breach Management Team within the designated timeframe for 13 of the 18 reviewed breaches.
- The agency has until September 2018 to correct the issues the OIG highlighted, including its response rate. The FDIC took about 288 days from the discovery of a breach to inform impacted individuals, and about 67% of the reviewed breaches took more than the 72-hour timeframe required for initial investigator actions. The FDIC took an average of 21 days to complete such tasks and did not have an incident response coordinator.
The frequency of data breaches is staggering, but complacency regarding PII is not an option. Federal information security fell short across 24 reviewed agencies, including network authorization and security management protocols.
Government entities are already scrutinized for the use of outdated technologies, but the handling of tech is just as important as the tech itself. Most cybersecurity experts would agree that attacks and breaches are not a question of "if" but "when."
Sometimes it is not so much the breach itself but the handling of the breach that worsens its impact. Equifax's data breach was only amplified by its delayed, disorganized and suspicious activities. On the flip side, the SEC ignored proper actions prior to its 2016 data breach. Security efforts conducted before and after a breach are sometimes of equal importance.
The U.S. government's cybersecurity practices fall short of other industries, but previously breached agencies, like the Office of Personnel Management (OPM), are making strides in recovery. After OPM's 2015 data breach, the agency has completed 11 of the 19 security tasks recommended by the GAO.