ALEXANDRIA, Va.—NCUA’s Office of Inspector General has found no evidence that NCUA attempted to “obfuscate” the fact that an NCUA examiner was responsible for the loss of a flash drive from Palm Springs FCU.
The flash drive was full of member data from the $13-million California CU, but it did not include passwords or PINs. NCUA has said that to date there has been no indication of any unauthorized access to members’ accounts or attempts to gain improper access.
In addition to the OIG finding that NCUA did not attempt to obfuscate examiner responsibility, the OIG also determined that NCUA did not “unduly influence PSFCU, through its legal counsel, to use the word ‘auditor’ in lieu of ‘examiner’ in the notification letter.”
The OIG concluded that the NCUA’s Executive Director’s decision not to publicly announce the incident on NCUA’s website “was appropriate under the circumstances.”
The OIG’s report, shared in an NCUA Management Advisory Review, focused on:
- The use of the term “audit” in lieu of “exam,” in the notification letter, dated October 30, 2014, that PSFCU sent to affected credit union members and the California Office of the Attorney General. Here, OIG focused particularly on whether NCUA’s Office of General Counsel (OGC) either proposed or influenced the use of the term “audit” in order to obfuscate the fact that an NCUA examiner was responsible for the loss of the flash drive.
- Whether NCUA’s decision not to publicly announce the incident on the agency’s website was appropriate under the circumstances.
For the full OIG review, click here.
NAFCU President and CEO Dan Berger addressed NCUA’s efforts to prevent a similar incident from occurring in the future.
“NAFCU appreciates NCUA’s Office of Inspector General reviewing how the agency handled its examiner’s loss of an external flash drive containing sensitive personal and financial credit union member data,” said Berger. “We recognize NCUA’s efforts to assess its systems and restate its policies to prevent a similar incident from recurring in the future. We firmly believe that NCUA, as a steward of credit unions’ sensitive information and as a federal regulator, must be held to the highest standard for safeguarding such data. We urge NCUA to continue to review its internal practices to ensure they are sufficient to protect data.”
In a previous statement, NCUA explained the flash drive loss “resulted from a failure to follow agency policies on securing sensitive data,” NCUA said. “These procedures, which have been in place since 2008, require NCUA examiners at all times to properly secure and control electronic devices containing sensitive or confidential information. The agency has conducted more than 28,000 examinations since these security policies have been in effect without encountering a notable problem.”
In January, the NCUA board approved a payment of up to $50,000 for costs associated with a data breach at Palm Springs FCU that was caused by the flash drive loss. NCUA said it will pay the credit union for activities, such as credit reporting monitoring for members, CU staff time associated with the breach, and legal fees. In January, NCUA said costs to date from the breach are approximately $36,000. The payments will come from the agency’s existing operating fund. If costs exceed $50,000, the board said it will need to take additional action.