The National Credit Union Association Inspector General will investigate how a thumb drive containing PII went missing.
The National Credit Union Association Inspector General will investigate how a thumb drive containing PII went missing.

In what might be viewed as a wee bit of irony, it seems a regulator caused a data breach that National Credit Union Association (NCUA) Inspector General James Hagen now says his office will investigate.

Members of the Palm Springs Federal Credit Union, a small financial institution in California received a letter from its CEO, Debbie Pitigliano, in October, informing them that personally identifiable information (PII), including Social Security numbers, names, addresses and account numbers may have been exposed after a thumb drive containing the information disappeared on or around October 20 during an audit by an NCUA examiner.

But the agency didn't reveal that the thumb drive had been lost by one of its examiners until after news of the breach appeared in the press. The breach and the apparent secrecy around it generated concern that the NCUA does not have the proper safeguards in place for protecting sensitive data and prompted IG Hagen to say in a Monday statement that his office will audit the agency to determine why NCUA the breach remained mum until news of the breach became public as well as to uncover who leaked information to the press, according to a report in the Credit Union Journal.

The CU Journal also quoted a spokesperson for the IG's office, Sharon Spear, as saying the investigation was prompted “in response to an allegation of wrongdoing” though she did not identify the source of the allegation.

On Dec. 17, Michael Fryzel, former chairman of the NCUA, penned an opinion piece in Credit Union Times taking the NCUA to task for its failure “to disclose when [the breach] occurred, not telling the industry that it happened and what steps the agency has taken to prevent its reoccurrence” and calling for an investigation.

Fryzel hinted that the NCUA was dodging blame for the lost drive, noting that used of the word “audit” in  the breach notification letter “would lead one to believe that the breach was caused by the credit union's CPA or internal auditor” rather than an NCUA examiner.

Pointing to the inconvenience and risk to credit union members as well as the cost of a breach, Fryzel wrote that the NCUA has not offered up any information on how the costs would be covered.

That the NCUA may be responsible for the breach at Palm Springs Federal Credit Union and the ensuing costs adds an even greater ironic twist, since credit unions, which have borne a good deal expense associated with recent retail data breaches, have been vocal in urging Congress to take proactive steps in establishing national data security standards for retailers. The National Association of Federal Credit Unions (NAFCU) recently argued that by inaction, Congress is allowing for the personal information of customers to be at risk, which ultimately ends up costing credit unions.