Pen drives used in OCC data breach
The OCC said that two pen drives were used to exfiltrate over 10,000 files in November last year iStock

A US federal banking regulator, the Office of the Comptroller of the Currency (OCC), has notified Congress about a "major security incident" after tens of thousands of internal files were downloaded without permission by a former employee.

The ex-staffer, whose identify and position was not revealed, accessed the files in November 2015 which was just prior to his retirement. However, when contacted by the agency after the breach came to light he was unable to locate or return two pen drives used to store the data at the time.

The cybersecurity mishap went undiscovered for 10 months. It was finally revealed on 1 September this year after the OCC conducted a "retrospective review of employee downloads to removable media" over the last two years after policy changes were introduced.

The review, which started in August 2016 and is still underway, identified significant changes to the former employee's download patterns just before leaving the federal department. It was then referred to the Treasury Department's Office of Inspector General (OIG) for investigation.

On 27 October, the OCC concluded the data loss met the criteria of a "major" security incident for multiple reasons: it included private information, the devices used to steal the data were not able to be recovered and it involved the unauthorised removal of more than 10,000 records.

The agency said its ongoing investigation found nothing to suggest the stolen information had been actively exploited. Furthermore, it maintained the data was encrypted, no backend systems appeared to have been tampered with and cybersecurity protections have since been bulked up.

"The OCC takes its commitment to cyber and information security seriously. Should the OCC's continued review identify additional such incidents, the agency will report them as appropriate," the regulator said in a statement.

"Based upon currently available information, there is no evidence to suggest that any non-public information, including any personally identifiable information or controlled unclassified information has been disclosed to any member of the public or misused in any way.

"The notifications were made to the Director of Office of Management and Budget (OMB), the Secretary of Homeland Security, the head of the Government Accountability Office, and Congress."

As noted by The Wall Street Journal, government agencies are required by law to report all major incidents to Congress and this is the first time the OCC has had to do so. Yet it follows a number of cybersecurity incidents facing major financial regulators in the US.

Back in July, the Federal Deposit Insurance Corporation (FDIC), a separate entity responsible for safeguarding the bank accounts of US citizens, was accused of being infiltrated by Chinese hackers in a damning report compiled by the House Committee on Science, Space and Technology.

The 25-page congressional paper repeatedly slammed the FDIC for its cybersecurity standards and alleged the agency attempted to evade oversight from authorities. Lamar Smith, the House Committee chair, branded the "repeated efforts to conceal information" as "inexcusable."