A former employee of the Consumer Financial Protection Bureau (CFPB) forwarded confidential information on hundreds of thousands of consumers to a personal email account, in what the agency describes as a “major incident.”
According to the CFPB, the agency in March identified a “confidential-information and privacy incident” in which the former CFPB employee emailed the confidential records to their personal email account. The New York Post reported that the former staffer sent a total of 65 emails, but the CFPB did not confirm that number.
“Our review identified email messages, some with attachments, sent by this employee to their personal email account that contained CFPB confidential supervisory information,” the agency said in a statement. “Of those messages, approximately 14 emails, some with attachments, contained consumer personally identifiable information (PII).”
Watch The Interest
After the incident was detected, the employee’s network access was revoked and the person is no longer employed by the agency.
According to the CFPB, the documents, which the employee had authorized access to, included two spreadsheets containing names and transaction-specific account numbers related to about 256,000 consumer accounts at a single institution.
“The numbers are used internally by the institution, are not the consumers’ bank account numbers, and cannot be used to gain access to a consumer’s account,” the CFPB said. “These two spreadsheets contained the vast majority of the impacted PII. In total, the CFPB has identified that the information includes PII regarding customers of seven institutions.”
The agency continued, “Coordination and outreach are still ongoing for the remaining institutions to identify the sensitivity of the PII and assess the risk of harm to consumers. The scale of the information involved with those institutions is much smaller: ranging from one institution where the CFPB identified the inclusion of two account numbers with no names included, to another where the CFPB identified approximately 140 loan numbers, of which roughly 100 also included de-identified information related to the loan or borrower, such as income, credit score, and demographic information (with no names included).”
The agency did not identify any of the institutions affected by the breach.
The CFPB said an investigation into this incident is still ongoing, but added that it has “no evidence at this time to indicate that confidential information or PII was disseminated beyond the employee’s personal email account.”
The agency said it has directed the former employee to delete the emails from their personal account, certify that each email was deleted, and “provide attestation once those actions were completed.” The former employee, however, has not complied with that demand, it said.
“The CFPB has relayed that information to the Office of Inspector General (OIG), to whom this matter was already referred, and continues to fully cooperate with OIG,:” the agency said.
The CFPB said it also notified Congress, the Department of Homeland Security/Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget, and the Financial and Banking Information Infrastructure Committee, as mandated by federal reporting requirements.
“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable,” an agency spokesperson said. “All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information. We have referred the matter to the Office of the Inspector General, and we are taking appropriate action to address this incident.”
U.S. Rep. Bill Huizenga, R-Mich., who chairs the Oversight and Investigations Subcommittee for the House Committee on Financial Services, sent a letter to CFPB Director Rohit Chopra on Tuesday asking questions about the breach and stating that its “effects could be widespread and injurious.”
Huizenga asks Chopra to provide a briefing to committee staff “as soon as possible but no later than April 25, 2023.”
