PALM SPRINGS, Calif. — NCUA had a perfect track record when it came to data breaches — until now.
Out of more than 28,000 credit union examinations since 2008, NCUA has had only one data breach. But news broke this week that an
The breach came at the end of a year that has been mired in data breaches stemming mostly from major retailers and raises questions about not only how NCUA polices and advises credit unions on data security, but how well it holds itself to those same standards.
According to a statement from NCUA Executive Director Mark Treichel, the loss was the result of an examiner's failure to follow agency procedures that have been in place since 2008, requiring examiners "at all times to secure and control electronic devices containing sensitive or confidential information."
A separate e-mail from NCUA to Credit Union Journal explains that the regulator stipulates that "Any electronic device or physical storage device that contains sensitive or confidential information must likewise be properly secured and controlled at all times. NCUA staff are required to make every reasonable effort to obtain documents electronically, and staff are instructed to recommend that electronic documents provided by a credit union be encrypted or similarly secured."
Except under special circumstances, examiners are not permitted to leave a credit union with members’ Social Security or tax ID numbers, and in those instances "direct supervisor notification and additional security procedures are required."
The agency has not gone into detail on the circumstances that led to the breach, and Palm Springs FCU did not respond to multiple calls from Credit Union Journal seeking comment.
NCUA insists it was "an unfortunate, but isolated" incident, and many credit union observers who spoke to CU Journal share that view. But many also emphasized that this can be a teachable moment for the regulator.
"Mistakes happen," said Geoff Bacino, a former NCUA board member. "I think anybody within credit union land and anybody at the agency understands that. We live in a very data-driven society right now... [and] this isn't going to be the last time this happens. The key is, what do we do going forward? How do they handle it? What does the agency do to make it right?"
Bacino suggested that — just like when CUs and retailers are impacted by data breaches — the agency must review its policies.
"If it happens at a credit union, they review their policies and ask 'What did we do? What do we need to do better? What do we lock down?' In this case, it was really kind of a misplacement, for want of a better term."
Bacino stressed that no matter what NCUA does it must be upfront and take responsibility for the situation.
The Path Forward
According to Treichel's statement, in the wake of the breach NCUA is working on adopting additional safeguards to protect electronic data, including:
- Establishing a team to review the circumstances that led to the incident at Palm Springs FCU
- Instructing a pre-existing review team to study whether or not CUs should be required to encrypt electronic member information
- Evaluating the possibility of using a secure portal to share information between the regulator and CUs rather than using hardware such as thumb drives.
Some of those proposals fall closely in line with suggestions from CUNA, which, in advance of the November NCUA board meeting,
Representatives for CUNA were not available to speak before deadline on this story, but speaking to CU Journal last month, CUNA's SVP and Deputy General Counsel Mary Dunn mentioned the possibility of examiners working from a secure, central site such as an NCUA regional office. Examiners could also, she suggested, use services like GoToMeeting or Skype to conference with the CU, only performing on-site visits as necessary.
But Carrie Hunt, SVP of government affairs and general counsel at NAFCU, cautioned that shifting to more digital measures may not solve the problem.
"There can be just as many issues with security when you implement technology as well," she told Credit Union Journal. "So whatever NCUA chooses to implement relative to their processes and procedures, a lot of times it becomes an issue of making sure people are following those, not necessarily whether you have something in place."
Bacino concurred.
"Anytime you do that, using more remote capture of data, you open yourself up to hackers," he reminded. "If you put more of it on the web, more of it into a cloud-based system, then you open yourself up from another angle. I don't know if it's a cure-all, but in terms of this issue, I'd like to see them do it, because it's important to try to reduce the amount of face time that examiners have within credit unions."
NAFCU President and CEO Dan Berger
Size Doesn't Matter
Both NCUA and Palm Springs FCU have assured that no members' passwords or PIN numbers were lost as a result of the breach, and while it is unknown whether the drive has been destroyed, there has been no indication of any attempts to access members' accounts.
While Palm Springs FCU is only a $13 million credit union, sources interviewed for this story have said they believe the reaction — both from NCUA and from the CU community as a whole — would be the same if the impacted credit union was 100 times larger.
Matt Little, VP of products at tech vendor PKWARE, emphasized that a simple data-encryption strategy might have prevented the breach.
"Encryption is a bad word to a lot of people," he told Credit Union Journal, pointing out that many believe data encryption is either too complex or just not worth the hassle. "You can encrypt data on a device and give a credit union the ability to remotely detonate that data so that it's no longer consumable by anyone. Even if the [examiner] happened to have the decryption key when they lost it, at least someone [at the credit union] could go in and say This data on this drive is no longer consumable.'"
Ultimately, added Little, institutions need to not only be able to protect their data but control it. If NCUA is using USB drives as a part of examinations, he said, "their people have to be trained in how to encrypt that information" before it is put onto the flash drive.
"A $1 billion bank will survive this a lot better than an $18 million credit union," he said, "but [regulators who cause data breaches] have the ability to put these guys out of business, and it's not okay to be cavalier with your customers' information."
Of course a $1 billion institution doesn't question whether or not it can afford high-tech encryption, whereas that might be a concern for many small CUs. But Little emphasized that the service doesn't have to be prohibitively expensive — as little as $60 per user in some cases, he said.
Regulator Response
NCUA staff are required to complete annual security awareness trainings, including how to protect personally identifiable information. That was last done in November, one month after the Palm Springs FCU data breach. Moving forward, according to NCUA Executive Director Mark Treichel's statement, field staff have been reminded about their responsibilities regarding data protection, and field directors plan to review select security policies at their next group meetings.
NCUA is planning additional security training for 2015.
