Former NCUA Chair Outraged by BreachFryzel Criticizes Agency for Mishandling Customer Data
Few security incidents have manifested as much industry outrage as the customer data breach at a small credit union in California that resulted after a routine regulatory exam with the National Credit Union Administration (see Did Regulator Cause a Data Breach?).
See Also: What is next-generation AML?
And like the breach itself, I can't think of another time when a former regulator - in this case, Michael Fryzel, a former chairman of the NCUA who served from 2008 to 2009 and remains a member of the NCUA's board through the end of this year - has been so outspoken and critical of an agency he once oversaw. Fryzel's reaction to the breach puts this incident into context, making us all realize how grave the situation really is.
"Everyone needs to know what occurred, who was responsible and why, as well as what has been done to reduce the possibility of it happening again."
His assessment of how the NCUA handled this breach is pointed and critical. In short, he says the agency's failure to disclose the breach is concerning, and he recommends the U.S. Department of Justice intervene.
In a commentary, which he provided to Information Security Media Group on Dec. 22 and that appeared in Credit Union Times on Dec. 17, Fryzel writes: "The data breach took place in October and yet it was not until two months later that the agency acknowledged the incident. And that acknowledgement came only after the Credit Union Times obtained a copy of the letter sent to all Palm Springs members. Despite this disclosure, the NCUA refuses to confirm an NCUA examiner was responsible for the loss."
What Actually Happened?
On Oct. 30, California-based Palm Springs Federal Credit Union sent a letter to its members, informing them that a flash drive containing member names, addresses and Social Security numbers had been lost sometime around Oct. 20, after a routine "audit" conducted by the National Credit Union Administration.
It's rare, unheard of really, for a breach of customer data to occur during a regulatory examination. Yet the breach was not confirmed by the NCUA, the federal regulatory agency responsible for credit union oversight in the U.S., until mid-December, when a copy of that Oct. 20 letter was obtained by Credit Union Times.
While details surrounding the breach remain sketchy, it appears that both the credit union and the NCUA are at least in part to blame for the loss of that flash drive - a loss security and banking experts, like Fryzel, say never should have happened during a regulatory examination (see Post Breach, Regulator Reviews Policies) .
Industry groups, such as the National Association of Federal Credit Unions and the Credit Union National Association, also have come forward to demand that the NCUA explain exactly how such an egregious mishap occurred.
What's more, they want to know why it took the NCUA so long to admit the mistake. They also want to know exactly how the NCUA, which is charged with ensuring the soundness and ongoing security of the institutions it oversees, is going to make sure a breach like this never happens again.
Lack of Transparency
Fryzel says the NCUA's lack of transparency is troubling. "To talk about transparency is one thing; to show you mean what you say is another," he notes. "I urge the NCUA board to ask the Inspector General to conduct an investigation of this matter. Everyone needs to know what occurred, who was responsible and why, as well as what has been done to reduce the possibility of it happening again. The IG must also determine why the industry was not told of this problem and who made the decision to keep the industry in the dark. He must ask who drafted the letter and why it was written the way it was."
Fryzel says the letter that went out to the credit union's members was misleading, as the NCUA would only be involved in regulatory examinations, not "audits."
"Use of the word audit would lead one to believe that the breach was caused by the credit union's CPA or internal auditor," Fryzel points out.
Al Pascual, director of fraud and security at Javelin Strategy & Research, says Fryzel makes some valid points. After all, banks and credit unions have been quick to point fingers at retailers they say have failed to handle breach response in an adequate fashion.
But to have a regulator calling out one of his own is rare, Pascual acknowledges.
"His commentary is less about the NCUA's handling of sensitive data and more about how it notified the public," Pascual says. "This same criticism has been levied against any number of organizations this past year about their own handling of data breaches; now it appears that the shoe is on the other foot. It is surprising, though, that Mr. Fryzel is the one who is drawing attention to the matter."
Fryzel is drawing attention to an incident that could have gone overlooked, had the letter that was sent to those Palm Springs members in late October not been leaked to the media. It should make all of us wonder how many other incidents like this have happened in the past that we never heard about.
While tapping the Inspector General to investigate this breach, and the NCUA's response to it, is rare, Fryzel makes some valid arguments, especially where the wording of the notification letter is concerned. And having the IG step in would ensure the investigation is unbiased. If the NCUA did misstep, in losing the flash drive and failing to respond to the breach adequately, then a higher agency should be called upon to hold the NCUA accountable.