NCUA Examiner Blamed for Data Breach
The NCUA said Monday an external flash drive that contained the names, addresses, Social Security numbers and account numbers belonging to members of the $13 million Palm Springs Federal Credit Union in California was lost during a recent exam.
The agency's comment came after unnamed sources told CU Times an NCUA examiner was responsible for the lost drive. Although the NCUA confirmed the loss of the data, it would not confirm that an NCUA examiner was responsible for the loss.
"NCUA confirms the loss of a thumb drive during an exam, which did not include passwords or PINs. NCUA has received no indication of any unauthorized access to members’ accounts or attempts to gain improper access," John Fairbanks, public affairs specialist, told CU Times.
"NCUA is working closely with the credit union. Consistent with Office of Management and Budget guidance, the notice to members about the lost data came from the credit union. This notice is also consistent with California law, as well as NCUA’s rules and instructions," Fairbanks added.
An Oct. 30 letter informing members about the breach said the flash drive was lost during an audit. A copy of the letter, obtained by CU Times, is shown at left. Click on the letters to expand.
“As part of the audit process, the credit union provided information regarding the credit union’s members on an external drive containing members’ names, addresses, Social Security numbers and account numbers,” Palm Springs FCU President/CEO Debbi Pitigliano wrote to members. “Regrettably, the drive was lost and its location is unknown. It is believed that the drive was lost on or about Oct. 20, 2014.”
“At this time we do not know if the external drive has been inadvertently destroyed or if it was acquired by an unauthorized person,” she wrote in the two-page letter. “All we know is that it is lost. We are currently unaware of any unauthorized access to member’s accounts or attempt to gain improper access.”
Pitigliano also wrote that the credit union was “fully investigating the incident.” In addition, Palm Springs FCU contacted law enforcement and reported the breach to the California Attorney General’s Office.
Pitigliano asked members to place a fraud alert on their consumer credit reporting agency report and watch their credit reports for the next 12 to 24 months.
The credit union also paid for an identity theft service to monitor members’ credit for up to a year and provide members identity repair assistance, according to Pitigliano’s letter.