The top U.S. banking regulator revealed Friday that a former employee downloaded thousands of files from the agency’s servers without authorization nearly a year ago and that the agency has not yet been able to recover those files.
In a notification sent to Congress and several other federal agencies, the Office of the Comptroller of the Currency said Friday that a “major information security incident” took place in November 2015.
According to the OCC notification, which was also sent to the director of Office of Management and Budget, the secretary of Homeland Security, the head of the Government Accountability Office, the incident involves a former employee who downloaded a “large number” of files onto two removable thumb drives without authorization prior to retiring from the agency.
The OCC said that when it contacted the former employee about those files, he was “unable to locate or return the thumb drives to the agency.”
According to the OCC, the unauthorized downloads occurred in November 2015, but were not discovered until Sept. 1, 2016, during a “retrospective review of employee downloads to removable media” conducted by the OCC that covered downloads that took place of the last two years.
The OCC said that it began that review in August 2016 following the implementation of a policy preventing employees from downloading information and data to removable media without supervisor approval.
According to the OCC, that review uncovered a “significant change” in the former employee’s download patterns during his final week of employment at the OCC.
After discovering the unusual download pattern, the OCC contacted the Treasury Department’s Office of Inspector General to begin an investigation, and the agency’s Core Management Group to begin an internal review.
Based on the CMG’s review and using information from the Treasury OIG investigation, the OCC determined on Oct. 27, 2016 that the event met the criteria of a “major incident” because it involved “controlled unclassified information, including privacy information.”
Additionally, the OCC said that the incident qualifies as a “major information security incident” because the devices containing the information in question are not currently recoverable, and because the incident involved the “unauthorized removal of more than 10,000 records.”
The OCC notification did not identify the types of documents that were removed nor the information contained within those documents.
The OCC did caution that based on current information, there appears to be no evidence to suggest that “any non-public OCC information, including any personally identifiable information or controlled unclassified information has been disclosed to any member of the public or misused in any way.”
The OCC said that the information on the two thumb drives is encrypted based on OCC policy to prevent information that is lost or stolen from being misused.
“The incident has not adversely affected OCC systems or the OCC’s mission, nor has the agency detected corruption of any data as a result of the incident,” the OCC said. “Furthermore, policies and technical safeguards implemented in August 2016 now prevent such an event from occurring.”
The OCC adds that it “takes its commitment to cyber and information security seriously,” adding that if its ongoing review identifies additional similar incidents, the agency will report them “as appropriate.”