Reports surfaced last night that the Consumer Financial Protection Bureau (CFPB) has informed lawmakers of that an employee who no longer works at the Bureau forwarded confidential information on 250,000 consumers and dozens of financial firms to a personal email account. The CFPB has described this as a “major” incident to U.S. lawmakers.
The unauthorized transfer involved personal information on approximately 256,000 consumers at one institution and confidential supervisory information on 45 institutions. There is no evidence that the records were shared beyond the former employee’s personal email account, according to a CFPB spokesman. Although most of the personal information was tied to consumers at one institution, the emails included information on consumers from seven firms. The CFPB has not publicly identified the firms or the former employee involved in the breach, and the motive for forwarding the data remains unknown.
While the incident appears to be more limited in scope compared to previous government data breaches, Republican lawmakers are pressing CFPB Director Rohit Chopra for more details. Rep. Patrick McHenry [R-N.C.], chair of the House Financial Services Committee, expressed concerns over the CFPB’s ability to safeguard consumers’ personally identifiable information.
The CFPB spokesman downplayed the severity of the breach, explaining that the personal information was largely limited to two spreadsheets containing names and transaction-specific account numbers used internally by the financial institution. The data does not include consumers’ bank account numbers and cannot be used to access a consumer’s account.
The agency has requested the former employee delete the emails from their personal account and provide attestation that each email was deleted. However, the former employee has yet to comply with these demands.
As the situation unfolds, the incident is likely to reignite Republican complaints about the bureau’s efforts to collect consumer data through its disclosure rules, consumer complaint database, and enforcement actions. Sen. Tim Scott [R-S.C.], the top Republican on the Senate Banking Committee, questioned the CFPB’s trustworthiness to collect more data when they have demonstrated an irresponsible handling of consumers’ financial information.