The U.S. Office of the Comptroller of the Currency (OCC) announced on Friday that it has notified Congress and other federal agencies of a “major information security incident,” as required by federal law, involving a cyber breach in which a former employee downloaded, and subsequently lost, thousands of records.
According to the OCC, the former employee downloaded a large number of files onto two removable thumb drives in November 2015, prior to his retirement. After those downloads were detected earlier this year — as part of a review of employee downloads — the employee was unable to locate the devices, or return them to the agency.
The OCC concluded that this met the criteria of a major incident “because it involved controlled unclassified information, including privacy information; the devices containing the information are not recoverable; and the incident involved the unauthorized removal of more than 10,000 records.”
The devices are encrypted and the OCC says that there is currently no evidence that the information contained on them “has been disclosed to any member of the public or misused in any way.”
The OCC also points out that it has since adopted policies and technical safeguards to prevent such an event from occurring again.