Refer to previous guidance from the regulators on pre-text calling. You should report this occurance to the Security Dept. for follow-up. Controls and procedures should be in place for just such occurances (Establish "best practices"
controls and procedures for personnel to follow and report).
If the information leads to the believe that a customer's information may be compromised, immediate action should be taken to protect the bank and customer. Remember the bank is vunerable to reputation risk, if this matter gets out of hand and reported to the media. Can you imagine, the press will have a field day.