Between 2010 and 2013 the FDIC experienced multiple data breaches by targeted malware. Emails purported from China were sent to C-level executives (CEO, CFO, CTO, etc.), which is common, because they are likely to download those cleverly disguised emails. According to Arstechnica, “Backdoor malware was installed on 12 workstations and 10 servers by attackers—including the workstations of the chairman, chief of staff, and general counsel of the FDIC. But the incidents were never reported to the US Computer Emergency Response Team (US-CERT) or other authorities and were only brought to light after an Inspector General investigation into another serious data breach at the FDIC in October of 2015.”
The FDIC’s upper management actively sought to hide these breaches for several years. In addition, they denied the IT department money and resources to properly secure the data, which contributed to further data breaches.
The breaches only came out because an employee copied information on a thumb drive prior to quitting — more than 1,200 document that included social security number from bank data on more that 44,000 people and 30,715 banks.
The FDIC underreported the number of affected people to around 10,000 people. This led to a much larger investigation that uncovered the multiple breaches and showed the multiple failures in various departments.
It is important to understand that eventually all breaches come out and it is always worse to hide it.
It is also important to ensure that you are adequately spending on IT and security. On average, ACS clients pay 1-2% per year, which is pretty low. Businesses typically spend 8-12% on IT and security. We have been able to provide the same quality at an affordable price with our People, Process, Technology Program. If you haven’t yet, give us a call to get signed up!