- A former Consumer Financial Protection Bureau employee forwarded confidential information on thousands of consumers to a personal email account, the agency said.
- The CFPB, which notified lawmakers of the “major incident” last month, said the now-fired employee sent two spreadsheets containing names and transaction-specific account numbers related to roughly 256,000 consumer accounts at a single institution.
- The bureau said it has referred the matter to the Office of the Inspector General. The CFPB did not name the individual responsible for the breach.
The CFPB, which notified lawmakers of the breach March 21, said it has not found any evidence that the confidential information was shared beyond the employee’s personal email account.
“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable,” a CFPB spokesperson said of the breach, which was first reported Wednesday by The Wall Street Journal. “All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information.”
The agency first became aware of the incident Feb. 14, people familiar with the matter told the Journal. After the incident was detected, the employee’s network access was revoked. The employee no longer works at the CFPB, the agency said.
The former employee has not complied with the CFPB’s demand to certify that the emails from his or her personal email have been deleted, according to the agency, which said it has relayed that information to the OIG.
The CFPB said the information involved in the breach includes the personally identifiable information of customers of seven institutions. The breach also involved confidential supervisory information on 45 institutions, The Wall Street Journal reported.
Coordination and outreach are still ongoing for the remaining institutions to identify the sensitivity of the PII and assess the risk of harm to consumers, the CFPB said. The agency did not disclose the names of the affected institutions.
Republican lawmakers — including Rep. Bill Huizenga of Michigan, who leads the House Financial Services Committee’s investigations panel, and Sen. Tim Scott of South Carolina, the ranking member on the Senate Banking Committee — requested briefings by CFPB Director Rohit Chopra regarding the breach.
Scott, in a statement Wednesday, blasted the agency’s data management practices in light of recent CFPB efforts to collect consumer data on credit cards and mortgages.
“It is no secret that Director Chopra wants to collect more and more data in order to push out progressive regulations,” Scott said. “Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers, when they themselves have demonstrated an irresponsible handling of consumer’s financial information?”