A US federal banking regulator has been forced to notify Congress regarding a “major security incident” after a former employee downloaded tens of thousands of internal files before retiring last year.
The employee, who has not been identified nor has their position been made public, worked at the Office of the Comptroller of the Currency (OCC) and downloaded the files in question to two USB flash drives in November 2015. Once the security breach was discovered, the employee in question was contacted though they were unable to find the two drives containing the internal files.
Shockingly it took ten months for the security breach to be discovered by the OCC. The regulator only became aware of the incident while conducting a “retrospective review of employee downloads to removable media.” The review itself was prompted by policy changes that led the OCC to discover the breach and had these changes not been implemented it might have gone unnoticed.
The ongoing review began in August 2016 and was able to determine that the employee's download habits had altered before his or her retirement. At that point, the matter was handed over to the Treasury Department's Officer of Inspector General (OIG) for further investigation. The OCC determined that the data loss was indeed a major security incident on 27 October. The regulator noted that private information was leaked, the devices used to download the data were unrecoverable and that 10,000 records had been removed without authorisation.
So far there has been no indication that the data was used for malicious or illegal purposes. The OCC also confirmed that the data was encrypted and it has since increased security measures to prevent any further data leaks in the future.
The OCC has since released a statement regarding the security breach in which it noted that no further information has been made public, saying: “The OCC takes its commitment to cyber and information security seriously. Should the OCC's continued review identify additional such incidents, the agency will report them as appropriate.
“Based upon currently available information, there is no evidence to suggest that any non-public information, including any personally identifiable information or controlled unclassified information has been disclosed to any member of the public or misused in any way.”
Image Credit: You Can More / Shutterstock