News Release 2016-138 | October 28, 2016
OCC Notifies Congress of Incident Involving Unauthorized Removal of Information
WASHINGTON—The Office of the Comptroller of the Currency (OCC) today notified Congress and other federal agencies of a major information security incident, as required by the Federal Information Security Modernization Act (FISMA).
The notifications were made to the Director of Office of Management and Budget (OMB), the Secretary of Homeland Security, the head of the Government Accountability Office, and Congress.
The incident reported by the OCC involves a former employee who downloaded a large number of files onto two removable thumb drives prior to his retirement and when contacted was unable to locate or return the thumb drives to the agency.
The downloads occurred in November 2015 and were first detected on September 1, 2016, during an OCC-initiated retrospective review of employee downloads to removable media that occurred over the last two years. The OCC began the review in August 2016 following implementation of a policy preventing employees from downloading information and data to removable media without supervisor approval. That retrospective review is still underway. The review identified a significant change in download patterns by a former employee in the week prior to the employee’s retirement. The concern was immediately referred to the Treasury Department’s Office of Inspector General (OIG) for investigation, and to the agency’s Core Management Group (CMG) for review.
Based on the CMG’s review of the incident and using information from the Treasury OIG, the agency concluded on October 27, 2016, that the event met OMB criteria of a major incident because it involved controlled unclassified information, including privacy information; the devices containing the information are not recoverable; and the incident involved the unauthorized removal of more than 10,000 records.
Based upon currently available information, there is no evidence to suggest that any non-public OCC information, including any personally identifiable information or controlled unclassified information has been disclosed to any member of the public or misused in any way. The information on the two thumb drives was encrypted based on OCC policy to prevent information that is lost or stolen from being misused. The incident has not adversely affected OCC systems or the OCC’s mission, nor has the agency detected corruption of any data as a result of the incident. Furthermore, policies and technical safeguards implemented in August 2016 now prevent such an event from occurring.
The OCC takes its commitment to cyber and information security seriously. Should the OCC’s continued review identify additional such incidents, the agency will report them as appropriate.