A data breach by an employee at the Consumer Financial Protection Bureau is sending shock waves through the financial services industry, raising far more questions than answers about how an employee was able to obtain information on more than 250,000 consumers and dozens of companies.
The agency, whose mission is to go after bad behavior at financial institutions, said the employee is "no longer employed by the CFPB." Lawmakers were told of the data breach on March 21, according to the
The CFPB said it had identified "a confidential-information and privacy incident" in which a now-former CFPB employee was found to have sent confidential CFPB records on 256,000 consumers at a single institution to their personal email account. The CFPB said that after the incident was detected, the employee's network access was revoked.
"This is a major black eye for the CFPB," said Ed Groshans, a senior research and policy analyst at Compass Point Research & Trading. He said the breach will create a significant problem for the agency in terms of its internal compliance issues and public image.
"These types of breaches are unacceptable, regardless of entity," Groshans said. "There needs to be across-the-board stronger protections because identity theft is real."
The Wall Street Journal, which first reported on the data breach, said CFPB officials first became aware of inappropriate use of a personal email account on Feb. 14. A subsequent review by the bureau identified 14 email messages, some with attachments, sent by the employee to that employee's email account that also contained confidential supervisory information, the CFPB said. The documents, which the employee had authorized access to in the course of his or her work, included two spreadsheets containing names and transaction-specific account numbers.
The CFPB said the account numbers are used internally by the financial institution rather than the actual account numbers that could be used to gain access to a consumer's account. The former employee had two spreadsheets that contained the vast majority of the impacted Personal Identifying Information, or PII. In total, the employee had information that included personal identifiable information from customers of seven financial institutions, the bureau said.
The scale of the information involved with the seven institutions is much smaller, the bureau said, ranging from one institution where the CFPB identified the inclusion of two account numbers with no names included, to another where the CFPB identified approximately 140 loan numbers, of which roughly 100 also included de-identified information related to the loan or borrower, with no names included but other information such as income, credit score, and demographic information.
Investigation of the data breach and confidential information is still ongoing. The bureau relayed that information to the Office of Inspector General, and said it is fully cooperating with the OIG.
The breach gives more ammunition to Republicans in Congress who are keen to make a political target of Chopra and the CFPB. Rep. Bill Huizenga, R-Mich., chairman of the House Financial Services Oversight and Investigations subcommittee, demanded in a letter to the bureau that Chopra brief the House Financial Services Committee staff no later than April 25.
"At the time of your notification, you indicated that the investigation was ongoing," Huizenga said in the letter. "You explained that the employee is no longer employed by the agency and that the employee certified they deleted each email. However, many questions remain unanswered."
Sen. Tim Scott, ranking member of the Senate Banking Committee, asked for a briefing by May 8 to discuss the content of the data taken from the CFPB's systems, specific details about the breach, remediation steps to address the breach and any changes the bureau is taking to address data privacy practices that are being implemented.
"This is highly concerning given that the CFPB has provided limited insight to Congress into the CFPB's data management practices and efforts to ensure the privacy of consumer and small business data," Scott wrote in the letter.
A spokesperson for Sen. Sherrod Brown, D-Ohio, chairman of the Senate Banking Committee, said that the CFPB "followed protocols" by notifying relevant committees.
"This matter has been referred to the Office of Inspector General," the spokesperson said. "However, the CFPB has taken every step required of the agency, and any wrongdoers must be held accountable for misconduct."
Lawyers representing companies that have been asked to send information to the CFPB said the breach raises all kinds of questions about the bureau's work going forward.
"This is irresponsible," said Joann Needleman, a member of the Clark Hill law firm. "I am very concerned because I represent clients who are sending the CFPB extraordinary amounts of data in response to [civil investigative demands] and during supervisions. They should be more responsible in the protection of that data."
The bureau said it has no evidence to indicate that confidential information or personal information "was disseminated beyond the employee's personal email account." The CFPB said it had directed the former employee to delete the emails from his or her's personal account, certify that each email was deleted, and provide attestation once those actions were completed but the former employee "has not complied with this demand."
The CFPB also notified Congress, the Department of Homeland Security/Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget, and the Financial and Banking Information Infrastructure Committee, pursuant to federal reporting requirements.
The CFPB is in the process of finalizing a small business data collection rule that would collect vast amounts of lending data on credit products including term loans, lines of credit, credit cards, merchant cash advances and personally identifiable information.
Last year, Chopra ordered six of the largest tech firms — Amazon, Apple, Alphabet's Google, Meta, PayPal and Square (now Block) — to
"Part of their line of questioning was the security of the data," Groshans said. "This harms their ability to say, 'We're the cop on the beat,' and we're going to make sure that you're securing personal identifiable information."
