Over the course of two years, the Federal Deposit Insurance Corporation (FDIC) could have experienced as many as 54 data breaches, according to a recent report from the Office of the Inspector General. The breaches occurred between 2015 and 2016, and could have compromised personally identifiable information (PII) data, the report said.

According to the report, 113,000 individuals could have been affected by the breaches and potentially had their PII compromised. For those unfamiliar, PII data can include name, telephone numbers, social security numbers, addresses, birthday, education, credit reports and more.

The purpose of the report was to evaluate how the FDIC–which insures bank deposits and supervises financial institutions, among other things–investigated and responded to the breaches. The report itself was built on investigations of 18 of the alleged breaches.

SEE: Information security incident reporting policy (Tech Pro Research)

One of the most striking findings was how the FDIC handled notifying the potential victims of their breaches. Of the 18 cases reviewed in the report, the FDIC only contacted victims related to five of the incidents. Additionally, it took an average of 288 days–or more than 9 months–from the date the breach was discovered to the date that the FDIC notified affected individuals.

The time between the discovery of a breach and notification is critical. As the report noted, “the longer it takes to complete breach investigation activities and notify potentially affected individuals, the greater the risk of harm that may come to individuals because they cannot quickly take proactive actions to protect themselves.”

And these breaches weren’t small or inconsequential. Six of the breaches reviewed for the report were considered “major incidents,” described in the report as “An incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

So, what went wrong? The report noted that the FDIC does have a formal plan in place for responding to breaches, but that it wasn’t adequately implemented. The organization lacked key staff like an Incident Response Coordinator, didn’t properly document decisions, did not track and report its key breach response metrics, and lacked proper control over its Data Breach Management Team, the report said.

The FDIC has since increased its resources for incident response and come up with a new response plan. However, financial institutions and banks that could have been affected should contact their FDIC liaison to determine potential impact.

The 3 big takeaways for TechRepublic readers

  1. From 2015-2016, the FDIC could have been breached more than 50 times, according to a new report from the Office of the Inspector General.
  2. As a result of the breaches, PII data from 113,000 individuals could have been impacted.
  3. The FDIC didn’t notify victims in a timely manner, lacked key security staff, and poorly implemented its breach response plan, the report said.