Major Data Breach At CFPB Puts 250,000 US Consumers At Risk

April 21, 2023
A former employee of the Consumer Financial Protection Bureau (CFPB) has made an unauthorised data transfer affecting more than 250,000 consumers and 50 financial institutions in what the agency described as a “major incident”.

A former employee of the Consumer Financial Protection Bureau (CFPB) has made an unauthorised data transfer affecting more than 250,000 consumers and 50 financial institutions in what the agency described as a “major incident”.

The incident came to light after the CFPB informed Congress about a “major incident”, which saw one of its employees transferring records containing personally identifiable information (PII) and confidential supervisory information (CSI) to a personal email account.

Although the breach took place on February 14, the CFPB informed lawmakers only on March 21, who have now brought the case to light.

A CFPB spokesperson told VIXIO that its investigation into the incident is still ongoing, as well as the agency’s outreach that aims to identify the sensitivity of the PII and assess the risk of harm to consumers.

Some members of Congress indicated that there were 65 emails exposed but the CFPB said only 14 of the emails included attachments with sensitive information.

The documents, to which the former employee had access in the course of their work, included two spreadsheets which contained names and transaction-specific account numbers.

The account numbers were used internally by the institution and were not the consumers’ bank account numbers, according to the spokesperson who emphasised that those “cannot be used to gain access to a consumer’s account.”

The spokesperson confirmed that the breach affected roughly 256,000 consumer accounts at seven institutions, although the vast majority of the accounts related to a single institution.

The employee’s network access was revoked as soon as the incident was uncovered by the agency. The employee is no longer employed by the CFPB, although it is unclear whether the employee was fired as a result of the breach.

The CFPB ordered the former staff member to delete the emails and certify that each email was deleted, but the person has not yet complied with this demand, the agency told VIXIO.

The agency’s spokesperson said the CFPB takes data privacy “very seriously” and this unauthorised transfer of confidential data is “completely unacceptable”.

“All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information.”

Republicans probe CFPB response

The incident heats up the pressure on the CFPB, which has already been fiercely attacked by Republican members of Congress.

The agency, which was created in response to the financial crisis and is the brainchild of progressive Democrat Elizabeth Warren, has typically divided politicians along party lines. It has become even more so in recent years after the Biden administration picked Rohit Chopra to lead the agency.

In the past year, top members of the Republican-controlled House have blasted Chopra for his aggressive agenda, promising to rein in what they call an “unaccountable” and “unconstitutional” CFPB, while senior Democratic lawmakers vowed to “always defend” the agency.

Republicans of the House and the Senate are now demanding a response from Chopra on the scale of the breach and the mitigation efforts the agency made.

“My understanding is that the email could have possibly implicated more than 50 financial institutions. If these facts prove to be true, the effects could be widespread and injurious,” Bill Huizenga (R-MI), chairman of the House Financial Services Subcommittee on Oversight and Investigations, wrote.

Tim Scott (R-SC), the ranking member of the Senate Banking Committee, attacked the data collection practices of the CFPB, which he argues only helps Chopra “to push out progressive regulations”.

“Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers, when they themselves have demonstrated an irresponsible handling of consumer’s financial information.”

Democrats have so far remained silent about the data breach.

The Senate Banking Committee’s spokesperson said the CFPB followed protocols by notifying relevant committees of the breach and the CFPB “has taken every step required of the agency”.

The spokesperson added that “any wrongdoers must be held accountable for misconduct”.

The scandal comes at a hard time for the agency, not only because it is being caught at the centre of a partisan spat but also because it is facing a new constitutional challenge.

In October, the Fifth Circuit Court ruled that the CFPB’s funding structure was unconstitutional, a decision that puts at risk all of the agency’s previous actions since, according to the court, an action by an unconstitutional agency is invalid.

The challenge is now pending before the Supreme Court of the US (SCOTUS) which is expected to decide, again, on the fate of the consumer agency within the coming months.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.
No items found.