FBI criticized for delaying breach notifications, including insufficient details
The Federal Bureau of Investigations does a poor job at notifying victims of a cyber-attack, a US government report released earlier this week concluded.
FBI notifications arrive either too late or contain insufficient information for victims to take action, a report from the Department of Justice’s Office of the Inspector General (DOJ-OIG) has concluded.
The report analyzed Cyber Guardian, an FBI application for storing information about tips and ongoing investigations. The system also allows agents to enter details about suspected victims, which Cyber Guardian can later notify via automated messages.
But the DOJ-OIG report said FBI agents are not using the system as it is intended.
FBI agents not using the system as designed
For example, interviews with 31 agents revealed that 29 entered victim information in a lead category called “Action,” rather than the standard “Victim Notification.”
Action-labeled leads are treated as active investigations and don’t necessarily trigger immediate breach notification emails, as standard entries in the Victim Notification category would do. By the time agents finish an Action-labelled investigation, victims lose crucial time during which they could have learned of the breach and taken protecting actions.
Furthermore, the DOJ-OIG audit also found that FBI agents often made mistakes when filling in victim information. Investigators found typos, incorrect dates, and errors in classifying the incident’s severity.
Breach notifications varied in quality
The report also revealed that victims notifications also varied in quality, which investigators attributed to the FBI agent entering the data.
Some agents were very descriptive about the incidents they logged in Cyber Guardian, leading to victims receiving useful notifications containing IP addresses linked to the malicious activity, date ranges, and instructions to deal with the attack’s aftermath. On the other hand, some agents provided very few details.
According to the DOJ-OIG report, many of these incomplete notifications were created by the same agents, an aspect that investigators said could be corrected through better training.
Auditors also found that the breach notification process, overall, could also be improved if the FBI cooperated with other agencies and allowed these agencies to enter data in Cyber Guardian as well, which should help enrich the quality of some notifications.
As a last observation, the DOJ-OIG also found that the FBI also failed to notify victims of their rights under the Attorney General Guidelines for Victim and Witness Assistance, a document about the rights and legal recourse victims are entitled to.
“The FBI is developing a new system called CyNERGY to replace Cyber Guardian and, although we were unable to test the system,” the DOJ-OIG said. “We believe that if CyNERGY operates as intended, it could provide improvements to the current system.”