Three months after examiners from the National Credit Union Administration lost a thumb drive containing names and account numbers of a credit union’s members during an audit, the federal regulator said it will reimburse the credit union for its costs in the breach, Bank Info Security reported.
The NCUA said its board approved payment of up to $50,000 to Palm Springs Federal Credit Union, which was being audited on Oct. 20, 2014, when the drive went missing. The credit union notified its members on Oct. 30 that the drive, containing member names, addresses, Social Security numbers and account numbers, had been lost.
But weeks after the breach, the NCUA still hadn’t publicly acknowledged that its personnel had lost the drive. However, the agency’s chairwoman, Debbie Matz, said NCUA was considering whether it should require credit unions to encrypt consumer data before it’s shared with examiners — a proposal that wasn’t received well by credit unions.
In its statement about the breach-related payment, NCUA finally took responsibility for the breach. “As a result of a failure to follow longstanding agency policies on securing sensitive data, a thumb drive given to an examiner was lost during an examination of Palm Springs Federal Credit Union,” the NCUA said, adding that it was taking “appropriate action with staff involved” and would improve training and adopt additional safeguards to avoid any repeat.
The NCUA statement also said the agency will pay for credit-report monitoring for members, breach-related staff time and legal fees. If those exceed $50,000, the NCUA board will have to approve more reimbursement money.
According to the statement, those costs currently stand at $36,000. So far, there’s no evidence suggesting any unauthorized access to members’ accounts or attempts to gain improper access stemming from the data loss.
An NCUA spokesman didn’t provide any additional details about the NCUA’s investigation of the agency’s part in the breach, which was handled by the NCUA’s Inspector General James Hagen. But the spokesman said the payment to the California credit union is the first the NCUA has made to a credit union for an examination-related breach. “This is the first time we’ve done this, as it’s the first time in 28,000 examinations that this has happened,” he said.