Consumer Financial Protection Bureau says former employee sent confidential info on 256,000 people to personal email

The Consumer Financial Protection Bureau (CFPB) confirmed a data breach on Thursday involving the personal information of “roughly 256,000 consumer accounts at a single institution.”

An official at the CFPB told Recorded Future News that they discovered that a former employee sent confidential records to their personal email account in 14 different emails.

The employee was authorized to access the files but two of the spreadsheets sent to their personal email address had names and account numbers related to accounts at a financial institution. The numbers are used internally by the institution, and CFPB said they cannot be used to access the customer accounts.

The former employee has been ordered to delete the emails and provide evidence that it was deleted – but officials confirmed that this employee has not yet complied. CFPB said it is now cooperating with the Office of Inspector General on the issue.

The Wall Street Journal reported that the agency knew about the incident by February 21 and began informing Congress on March 21.

Most of the information was held in two spreadsheets but other documents sent had personal information from customers at seven different financial institutions.

“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable,” a spokesperson told Recorded Future News.

“All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information. We have referred the matter to the Office of the Inspector General, and we are taking appropriate action to address this incident.”

CFPB is still working with the financial institutions to figure out how sensitive the leaked personal information is and what kind of risk those affected face.

The agency – which is responsible for consumer protection in the financial sector – said that outside of the large trove of data from the single unnamed institution, small amounts of data related to other companies was involved.

CFPB said one of the documents attached to the emails related to one institution and had two account numbers with no names attached while another had 140 loan numbers – 100 of which had information related to the loan or borrower, such as income, credit score, demographic information. No names were included, the CFPB said.

The agency said it revoked the employee’s network access and fired them once the incident was discovered.

They are still investigating the incident but the agency said it has found no evidence that the data was shared beyond the former employee’s emails.

Congress has been notified of the incident alongside the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget and the Financial and Banking Information Infrastructure Committee.

“This data breach is an egregious lack of oversight by the CFPB,” Senator Tim Scott said in a statement to CFPB Director Rohit Chopra.

“This is particularly concerning in the face of the failures of SVB and Signature Bank. Our regulators and agencies need to take responsibility for their failures and must be held accountable.”

Scott demanded a hearing by May 8 and Rep. Bill Huizenga (R-MI) sent a similar letter to Chopra claiming the agency said on March 21 that the incident involved 65 emails that “could have possibly implicated more than 50 financial institutions’ sensitive information.”

“At the time of your notification, you indicated that the investigation was ongoing. You explained that the employee is no longer employed by the agency and that the employee certified they deleted each email. However, many questions remain unanswered,” Huizenga said.

“To better understand the mitigation and remediation efforts, the scale of the breach, as well as efforts made to give the appropriate notifications, please provide a briefing to Committee staff as soon as possible but no later than April 25, 2023.”