Did Regulator Cause a Data Breach?
Experts Debate How Customer Data Could be Lost in an AuditA portable flash drive holding sensitive customer data was lost after it was used during a routine audit with federal examiners. Now experts are left wondering: How could such an egregious breach happen?
See Also: Gartner Market Guide for DFIR Retainer Services
Losing sensitive customer data as part of a regulatory audit is extremely rare, all agree, and likely could have been prevented if basic security procedures had been followed.
"Surely, the examiners should comply with the same types of restrictions the institutions they examine have to contend with to provide adequate security," says Shirley Inscoe, a financial fraud expert and analyst for consultancy Aite.
Lost Data - What Happened?
On Oct. 30, California-based Palm Springs Federal Credit Union sent a letter to its members, informing them that a flash drive containing member names, addresses and Social Security numbers had been lost sometime around Oct. 20, after a routine audit by the National Credit Union Administration.
It is unclear exactly who - the credit union or the NCUA examiner/auditor - is responsible for the flash drive's disappearance.
While Palm Springs FCU did not respond to Information Security Media Group's request for comment. A copy of the institution's notification was obtained and posted online this week by Credit Union Times.
"At this time we do not know if the external drive has been inadvertently destroyed or if it was acquired by an unauthorized person," the credit union writes. "All we know is that it is lost."
In its letter, Palm Springs FCU encourages its members to put fraud alerts on their credit reports as an identity-theft precaution.
The NCUA, in a subsequent statement to ISMG, says it is aware of the portable drive's connection to the October audit, but does not address how the drive was lost. "NCUA confirms the loss of a thumb drive during an exam, which did not include passwords or PINs," the NCUA states. "NCUA has received no indication of any unauthorized access to members' accounts or attempts to gain improper access."
The NCUA also says it is working closely with the Palm Springs FCU to investigate the drive's disappearance.
"NCUA only confirmed the loss, not how it happened or who was responsible," says NCUA spokesman John Fairbanks.
In the meantime, the NCUA and Palm Springs FCU are working to ensure they adequately notify all members who may have impacted.
"Since 2008, NCUA has had in place policies and procedures governing the proper handling of electronic data received as part of the examination process," the NCUA points out. "These procedures require NCUA examiners at all times to properly secure and control electronic devices containing sensitive or confidential information. We take this situation very seriously and we are committed to ensuring that the data shared in exams are protected."
'Trust is at Stake'
Outside observers say the breach sheds a negative light on how some banking regulators and institutions manage data, and could have a devastating public relations impact.
"We are deeply concerned about this event," says Eric Richard, general counsel for the Credit Union National Association. "NCUA examiners are charged with promoting the safety and soundness of credit unions, not putting it at risk. NCUA should conduct a thorough review of the situation to see what steps it can take to make sure that nothing like this happens again. Trust in the agency is at stake."
And while sensitive customer information is often shared with banking regulators during audits and exams, enhanced precautions, such as the use of secure file transfer portals and data encryption, should be more commonly used to transmit that information, says Amy McHugh, an attorney and former IT examination analyst for the Federal Deposit Insurance Corp., who now works as a banking consultant for CliftonLarsonAllen.
"I know the FDIC has a secure document upload service with two-factor authentication to transmit information," she says. "I'm not sure whether the NCUA has a similar process, and, if so, why it wasn't used."
McHugh says banking examiners aren't typically allowed direct access into institutions' internal networks. Instead, they often ask banks or credit unions to share data via secure file-sharing services.
"If the CU had secure e-mail, it could have e-mailed the information to the examiner as well," she says. "But, in my experience, small financial institutions don't have secure e-mail."
Anthony Vitale, former vice president of information technology at California-based Patelco Credit Union, who now works for supply chain software provider JDA Software, says institutions' policies related to how data is exchanged with banking regulators can often be lax.
"It would probably help if the exam team established a formal protocol with the CU prior to the exam, outlining the procedures for delivering and handling data, and requiring certain files to be password protected and encrypted," Vitale says. "There is nothing formal today. Exams are handled mostly by examiners leading and CUs following. There is nothing in the NCUA examiners' manual addressing the handing of data."
Flash Drive Risks
Neither NCUA nor Palm Springs FCU has said why a portable drive was used.
Regardless, McHugh says using any portable media for sharing sensitive customer information should be strictly prohibited. If using portable media is deemed a necessity, then any data should be fully encrypted and password protected. Also, the media should be scanned for viruses before any information is loaded to it. And as soon as the information stored to the device has been downloaded by the examiner/auditor, the media should immediately be returned to the institution, she says.
Aite's Inscoe says many banking institutions have adopted policies banning flash drives and other storage mechanisms from the workplace because these devices easily can be lost.
"It seems examiners should adopt a similar policy," she says.