The hard drive had been accidentally damaged by an AICPA employee and was sent out for repair to an external data-recovery service in violation of the AICPA's policies, said Joel Allegretti, a spokesman for the New York-based organization. It was on its way back to the AICPA via FedEx but failed to arrive. Allegretti did not say when exactly the drive went missing except to note that the package containing it was due back at the AICPA "towards the end of February."

It took the organization until March 31 to "recreate the drive" and determine what data it contained. The AICPA began notifying affected members of the potential compromise of their personal data on May 8 and has since completed the task, Allegretti said.

Jim McClusky, a spokesman for FedEx Corp., said it is unclear what exactly happened to the drive. But he stressed that it is a mistake to characterize the package as being lost.

"We did handle the shipment, and we are working closely and cooperatively with our customer to determine where the package might be," he said. "It is still being investigated. At this point, we are looking at it as a missing shipment; that doesn't mean it's lost."

Based on investigations so far, it does not appear that information on the hard drive has been misused, Allegretti said.