Kirk Kordeleski, the CEO of Bethpage Federal Credit Union, saidthe exposure of personal information from up to 86,000 of thecredit union's 205,000 members happened because a staff memberinadvertently uploaded a file containing the information onto a ininsecure website.

“She believed the website was secure. It had a password,”Kordeleski said Wednesday. “But it was not.”

Kordeleski added that the staff member was no longer with thecredit union, and media outlets have reported she resigned.

The site that the staff member used was one the Bethpage, N.Y.,credit union uses to move large files such as photos and othergraphics, Kordeleski explained.

The $4.7 billion Long Island credit union had been sending thedata to the firm it uses to generate member mailings, Kordeleskisaid, in conjunction with a conversion of its debit card portfoliofrom Visa to MasterCard branded cards.

Kordeleski said the data had been on the unsecured site for 30days, long enough for Google to have indexed it. But he addedthat security firms that the credit union consulted said only a fewInternet users appeared to have viewed the data.

He also said Bethpage considered the risk of ACH fraud from thedata spill was remote. While the exposed data would be enoughto generate an ACH withdrawal, such withdrawals required the personwithdrawing the funds to have a deposit account.

Under the terms of the know-your-customer or know-your-memberrules, it is considered very difficult to generate a fraudulent ACHwithdrawal without being caught, Kordeleski said.