The loss of a thumb drive containing credit union members' personal information by a NCUA examiner is now the subject of an investigation by the agency's inspector general.
In a statement Monday, NCUA IG James Hagen said his office will conduct an audit to determine whether the agency has appropriate controls in place to safeguard sensitive data.
Additionally, it will also review why NCUA chose to conceal news of the breach prior to it appearing in media reports.
Finally the IG office will investigate who inside the agency leaked the breach's existence to the news media earlier this month.
Sharon Separ, a spokesman for the IG, said Monday that the investigation into the leak was launched "in response to an allegation of wrongdoing," but she declined to say whether that allegation came from NCUA.
Separ added that the IG was not informed about the breach by the regulator, rather it learned about it from press accounts.
After the breach became public knowledge, NCUA acknowledged one of its examiners lost a thumb drive containing information about members of the $13 million-asset Palm Springs FCU on or around Oct. 20. However the regulator has yet to publish a statement or press release detailing what happened on its website.
In an email to Credit Union Journal earlier this month, NCUA stated that the lost thumb drive did not contain members' passwords or PIN numbers, but it declined to say whether the examiner responsible for the breach has been disciplined.
While this is apparently the first time anything like this has happened to NCUA, lost or stolen thumb drives containing sensitive client data are relatively commonplace in business.
In March, a healthcare provider in Escondido Calif. had to inform 5,000 patients their personal information had been compromised after a laptop and two thumb drives were stolen.
And last December, insurer Kaiser Permanente was forced to tell 50,000 customers of its Anaheim (Calif.) Medical Center their data had been breached when a thumb drive went missing.