CFPB employee sent data of 250,000 customers to personal email
Employee hasn't yet certified that emails were deleted
A Consumer Financial Protection Bureau employee sent personally identifiable information linked to at least 256,000 consumers to a personal email account in a breach of the agency’s data protections.
The employee, who no longer works for the agency, had authorized access to the information. There’s no indication consumer data traveled beyond the former employee’s personal account, but the staffer has not complied with the agency’s demand for proof the emails have been deleted, the CFPB said.
The breach prompted Republicans on House and Senate financial oversight committees to write the agency asking for more details. The CFPB alerted Congress to the problem in March.
“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable. All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information,” a spokesperson said in a statement. “We have referred the matter to the Office of the Inspector General, and we are taking appropriate action to address this incident.”
The breach included the names and transaction-related numbers for the accounts of 256,000 consumers at a single financial institution. The numbers were not bank account numbers and can’t be used to access the accounts, the agency said.
The CFPB didn’t say how many emails were sent to the employee’s personal account, but about 14 of them contained the personally identifiable information of customers at seven financial institutions.
Rep. Bill Huizenga, R-Mich., the House Financial Services Subcommittee on Oversight and Investigations chairman, said in an Tuesday letter to the CFPB that it involved 65 emails and that it could have implicated more than 50 financial institutions’ “sensitive information.” He pressed the agency for more information.
According to the office of Sen. Tim Scott, R-S.C., the agency learned of the breach on Feb. 14 and informed Congress on March 21. Scott, the ranking member of the Senate Banking Committee, asked the agency in a letter Wednesday for more information.
“This data breach is an egregious lack of oversight by the CFPB,” he said in a statement. “Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers, when they themselves have demonstrated an irresponsible handling of consumer’s financial information.”
A spokesperson for Senate Banking Chairman Sherrod Brown, D-Ohio, defended the CFPB’s conduct.
“The CFPB followed protocols by notifying relevant committees of the breach,” the spokesperson said in a statement. “This matter has been referred to the Office of Inspector General. However, the CFPB has taken every step required of the agency, and any wrongdoers must be held accountable for misconduct.”
The CFPB said the employee’s access to the network was revoked after the breach was discovered.