U.S. regulator says former employee downloaded data from office

WASHINGTON (Reuters) - A U.S. banking regulator said on Friday it had told Congress about what it called “a major information security incident” after a former employee was found to have downloaded a large number of files onto thumb drives before his retirement.

The Office of the Comptroller of the Currency said in a statement that there was no evidence to suggest that the data in the downloads had been disclosed to the public or misused in any way.

Before he retired in November 2015, the former employee downloaded a large number of files onto two removable thumb drives though the incident was only detected last month during a routine security review, the OCC said in a statement.

When the former employee was contacted, the OCC said, he “was unable to locate or return the thumb drives to the agency.”

The stolen data was encrypted, the agency said.

The Office of the Comptroller, along with the Federal Reserve and Federal Deposit Insurance Corporation, is one of the nation’s three most influential bank regulators that is tasked with protecting consumers and financial markets.

The OCC has deemed the breach a “major incident” because the devices containing the information are not recoverable and more than 10,000 records were removed, the agency said.

An official familiar with the investigation declined to comment on a possible motive. The official, who was not authorized to discuss the case, noted that a large batch of unclassified personnel records were among the cache.

Shane Shook, an independent cyber crime expert who helps governments and financial institutions respond to breaches, said that he was not particularly concerned about the loss of the data, which OMB regulations require the OCC to report to the public, regardless of impact.

“This happens quite a lot,” he said. “The risk would be if the information somehow gets released to unauthorized sources” such as WikeLeaks or another website where stolen data is posted.

He said that in many case employees or consultants who report missing thumb drives with sensitive data on them eventually end up finding them.

Representatives with the Department of Homeland Security and FBI said they had no immediate comment.

A number of high-profile data breaches at the federal level have highlighted the vulnerability of sensitive information.

In recent weeks, the National Security Agency has come under fresh scrutiny after a contractor was accused of having hoarded sensitive information at his home.

Reporting by Eric Walsh; Editing by Eric Beech and Lisa Shumaker