A former OCC employee downloaded at least 10,000 encrypted files onto two thumb drives, took them off the premises and has not returned them to the agency, the OCC said today in a notification to Congress of a “major information security incident” as required by federal law. “Based upon currently available information, there is no evidence to suggest that any non-public OCC information, including any personally identifiable information or controlled unclassified information has been disclosed to any member of the public or misused in any way,” the agency said.
The official took the files in the week prior to his retirement in November 2015, but the incident was not detected until Sept. 1, 2016, when the OCC was conducting a review of employee downloads to removable media. When contacted, the retiree was unable to find or return the thumb drives. The agency did not describe the data lost beyond the quote above.
The FDIC has also been plagued by employee-driven data breaches. A congressional investigation earlier this year identified major lapses at that agency, with current or former employees removing devices containing personal information of more than 160,000 people, as well as confidential bank supervisory information.
