A federal bank regulator on Friday revealed details about “a major information security incident” that resulted in the misplacement last year of more than 10,000 records.
The Office of the Comptroller of the Currency (OCC) said it became aware of the breach after the office implemented a new policy this summer intended to keep employees from downloading files to removable storage devices without approval.
The OCC was investigating two years’ worth of downloads when it noticed a “significant change” in the patterns of a particular employee shortly before their retirement in Nov. 2015, and determined upon further review the worker had saved more than 10,000 records to a pair of portable thumb drives.
The OCC said it became aware of the peculiar downloads on Sept. 1 and later contacted the former employee, who “was unable to locate or return the thumb drives to the agency,” according to the statement.
While the contents of the more than 10,000 missing records is considered unclassified, the breach resulted in the compromise of a enough privacy-related information to warrant being categorized as a “major incident” in accordance with U.S. Office of Management and Budget (OMB) criteria.
“Based upon currently available information, there is no evidence to suggest that any non-public OCC information, including any personally identifiable information or controlled unclassified information has been disclosed to any member of the public or misused in any way,” the statement said.
An OCC spokesman told the Wall Street Journal that information “related to OCC activities and employees” was included on the drives, and added there is “no indication that there was bank customer information among the files removed.”
The thumb drives were encrypted to prevent misuse, according to the OCC, and new safeguards have since been implemented to prevent any similar events from occurring in the future.
Congress, the Department of Homeland Security, the Government Accountability Office and OMB have all been briefed on the breach, the OCC said. A spokesman with the House Committee on Science, Space, and Technology told the Wall Street Journal the panel was monitoring the OCC’s response, and will “work to ensure the OCC “responds to the incident appropriately, remediating any potential damaging effects to sensitive information” on its systems.
The OCC and two other of the nation’s biggest financial regulators — The Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve —announced earlier this month they plan to introduce new guidelines next year intended to ensure the country’s largest banks have policies in place to help bounce back from any breaches caused by cyberattack. The measures “would be designed to increase covered entities’ operational resilience and reduce the potential impact on the financial system in the event of a failure, cyberattack or the failure to implement appropriate cyber risk management,” their notice said.