"The thumb drive did not include passwords or PINs.  NCUA has received no indication of any unauthorized access to members' accounts or attempts to gain improper access. This loss resulted from a failure to follow agency policies on securing sensitive data," he added.

Treichel said NCUA examiners have been required to properly secure and control electronic devices containing sensitive or confidential data at all times since 2008.

"The agency has conducted more than 28,000 examinations since these security policies have been in effect without encountering a notable problem. This was an unfortunate, but isolated, incident, and both NCUA and the credit union acted quickly," he said.

According to Treichel, the agency and the credit union are taking "all appropriate actions to investigate the incident, notify members and combat possible identity theft."

As a result of the incident, the NCUA is reinforcing training on protecting sensitive information and reviewing its policies in the data security area. Treichel said the NCUA plans additional security training for examiners next year.

The NCUA is in the process of creating a team to review the circumstances surrounding this incident at Palm Springs. Treichel said the agency is also assessing the creation of an information sharing system between the agency and credit unions through a secure portal in place of using hardware like a flash drive.

"NCUA requires all staff to complete annual security awareness training, which includes training on the protection of personally identifiable information.  That was last done in November 2014," he said. "Further, field staff has been reminded of their responsibilities for maintaining information security, and field directors will review certain security policies at their next group meetings."