CFPB Reveals Massive Data Breach
Last month, a former employee of the Consumer Financial Protection Bureau (CFPB) forwarded confidential information of over 250,000 consumers to a personal email account, an incident that the CFPB considered a “major” data breach. The employee sent spreadsheets with consumer names and transaction-specific accounts numbers at a single institution, and the CFPB referred the incident to the Office of the Inspector General.
“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable,” said a CFPB spokesperson, according to Politico. “All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information.”
The CFPB became aware of the breach in February, and the employee’s network access was revoked and the employee was soon after terminated. The former employee has not complied with the Bureau’s request to confirm that the emails have been deleted from his or her personal account.
Banking Dive noted that the incident included personally identifiable information of customers of seven institutions, as well as confidential supervisory information on 45 institutions. The CFPB said coordination and outreach is ongoing for the rest of the institutions to identify the potential risks to consumers.
Representative Bill Huizenga (R-Mich.), Chairman of the Financial Services Subcommittee on Oversight and Investigations, sent a letter to CFPB Director Rohit Chopra, requesting that “to better understand the mitigation and remediation efforts, the scale of the breach, as well as efforts made to give the appropriate notifications, please provide a briefing to Committee staff as soon as possible.”
Senator Tim Scott (R-S.C.), Ranking Member of the Senate Banking Committee, also sent a letter to Chopra expressing concern about how the agency handles data, especially as the CFPB plans to gather more sensitive information from lenders, consumers, and small businesses.
“Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers, when they themselves have demonstrated an irresponsible handling of consumer’s financial information,” he said.