As a data security company, it is our practice to review the growing numbers of cyber-breach reports and post-mortems. A recent one in particular caught our attention. It appears that the agency that insures our bank accounts is not only failing to insure our Personally Identifiable Information (PII), but also lacks proper incident response according to a government report.
An audit by the Office of the Inspector General (OIG) determined that the Federal Deposit Insurance Corporation's (FDIC) protocols for responding to a data breach aren't being followed, even while the agency has faced dozens of security incidents in the past two years. The OIG’s full report was released in September. The audit stemmed from a series of data breaches at the FDIC from January 2015 to December 2016. The agency believes that it was compromised 54 times within that period. The Office of Inspector General selected 18 of those breaches to evaluate for the audit.
Although the FDIC has taken steps to better comply with the Federal Information Security Management Act by instituting a breach response plan, auditors found that the organization often failed to implement key components of this plan for most of the security incidents reviewed.
For example, although they were supposed to notify individuals or businesses who had their sensitive information compromised within 10 business days of completing an incident analysis, FDIC officials waited an average 288 days (9+ months) after a breach was discovered before notifying affected individuals.
While the breach response plan did delineate who would be responsible for such procedures, those positions were either unfilled for long periods of time or staffed by employees who were not properly trained, leading to long delays in the process. Auditors also found instances of incomplete paperwork related to risk analysis that may have led to inconsistencies in the FDIC's response to each incident.
As a result, the sensitive and personally identifiable information (PII) of hundreds of thousands of people and organizations was left further exposed and those affected were unaware. According to the report, the PII includes “…names, telephone numbers, home addresses, social security numbers, driver’s license numbers, dates and places of birth, credit reports, education and employment histories, and the results of background checks."
The FDIC has a history of high-profile and embarrassing cybersecurity failures dating back to at least 2010. An annual report by the regulator said there were 159 incidents of unauthorized computer access during fiscal year 2015, according to a redacted copy obtained by Reuters under a Freedom of Information Act request. Rather than major breaches by hackers, these incidents included security lapses such as employees copying sensitive data to flash drives and then physically removing the data.
Employees engaged in fraudulent activities for personal gain or disgruntled workers sabotaging the business are hard to detect. These employees often have access rights to sensitive information, and privileges to move data inside and outside your network. But the current situation at the FDIC doesn’t have to be the norm.
We believe it’s accurate to state that deployment of OnFire, HoloNet’s game-changing Data-Centric Audit and Protection (DCAP) solution could have enabled the FDIC to detect and respond to data breaches within minutes, instead of weeks and months. OnFire provides an automated framework for analyzing how sensitive data travels across your network, who moves it and where they move it...in real time.
HoloNet OnFire can uncover negligent or malicious insider activities by detecting subtle but significant changes in user behavior and correlating them to data transfers by type and volume. OnFire focuses on how each user is accessing sensitive data by linking moving data, and its source and destination, with users. OnFire can detect when users load sensitive documents to personal storage devices or cloud-based storage and productivity applications such as Box and Slack in violation of company policy, putting sensitive data and IP at risk.
By providing constant 24/7/365 visibility into all sensitive data movements and real-time alerts when anomalous activities are detected, HoloNet’s superior profiling provides the accurate information needed for security operations teams to either take preventative measures, or immediately respond to a breach in progress. Dwell time is reduced to near-zero, narrowing the window of risk and accelerating the remediation process.
Isn’t that the kind of responsible and timely approach that you would like organizations with possession of your PII to take?
This blog reflects the contribution of the HoloNet team and guest bloggers who are security experts. HoloNet Security is led by a team of seasoned security industry professionals with a long, proven track record of successful security products and services.