An employee one week from retirement and acting without authorization downloaded more than 10,000 encrypted records including controlled unclassified information and privacy protected data onto two thumb drives, the Office of the Comptroller of the Currency told Congress last week.
“The downloads occurred in November 2015 and were first detected on Sept. 1, 2016” during a recently started retrospective review of employee use of removable media over the last two years, the OCC said in a statement Friday afternoon.
As well as Congress, OCC notified the director of Office of Management and Budget, the secretary of the Department Homeland Security and the head of the Government Accountability Office, as required by Federal Information Security Modernization Act procedure for dealing with “major information security incidents.”
OCC says it began the review in August 2016 following implementation of a policy preventing employees from downloading to removable media without supervisor approval. It’s still underway. The download of concern was immediately referred to the Treasury’s inspector general for investigation, and to agency management. The removable media have not been recovered.
OCC concluded on Oct. 27 that the event met OMB criteria to qualify as a major incident because of the sensitive nature of the information, the fact that the devices have not been recovered and the scale — “the incident involved the unauthorized removal of more than 10,000 records,” the agency said.
But it added that “There is no evidence to suggest that any non-public OCC information… has been disclosed to any member of the public or misused in any way.”
The incident is the second reported occurrence of an federal employee taking personally identifiable information out of a federal agency. In April, the Federal Deposit Insurance Corp. detected and quickly moved to mitigate a breach of 44,000 banking customers’ information after an employee leaving the agency inadvertently downloaded the data to a personal device. The employee, who worked in FDIC’s “resolution and receivership group,” signed an affidavit affirming that she did not in any way use or share the information, which was compromised in some cases of the personal information — like peoples’ names, addresses and loan numbers — of customers of banks that had closed.