Consumer Protection Bureau Staffer Sent 256,000 People’s Data To Personal Account

A former employee of the Consumer Financial Protection Bureau, also known as the CFPB, sent personal data for hundreds of thousands of people to a personal email account, the agency confirmed this week.

The since-dismissed staffer for the agency, which is responsible for protecting consumers in the financial sector, made an unauthorized transfer of records for 256,000 customers of an unnamed financial institution, as well as confidential information for 45 other institutions, an agency spokesperson confirmed with The Wall Street Journal. The spokesperson clarified that most of the records were linked to consumers at one institution, although personal data from consumers from seven other unnamed firms were implicated.

CFPB officials informed the House Financial Services Committee about the “major incident” on March 21, according to a letter that Oversight and Investigations Subcommittee Chairman Bill Huizenga (R-MI) sent the agency. The lawmaker said the transfer, which occurred through 65 emails, contained attachments, names, and account numbers for the 256,000 individuals.

The spokesperson for the CFPB said the breach was limited to two spreadsheets and lacked information that could be used to access the customers’ accounts, according to the report from The Wall Street Journal, which was the first outlet to publicize the news. The former employee nevertheless did not comply with a request from the agency to delete the emails from the personal account, as well as “certify” and “provide attestation” that each message was deleted.

Senate Banking Committee Ranking Member Tim Scott (R-SC) added in a separate letter on Wednesday that the CFPB finalized a rule on data collection from small businesses in the time since the discovery of the breach, a move which the lawmaker considers worrisome since the agency “has provided limited insight” on its data management practices.

“Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers, when they themselves have demonstrated an irresponsible handling of consumer’s financial information?” Scott asked in a statement. “Our regulators and agencies need to take responsibility for their failures and must be held accountable.”

The Wall Street Journal noted that the breach at the CFPB seems to be less severe than other incidents which constituted federal data breaches, such as the hack of more than 20 million individuals’ records from the Office of Personnel Management in 2014.

CLICK HERE TO GET THE DAILY WIRE APP

One recent investigation from The Daily Wire found that the General Services Administration was required to create a system that federal agencies could use to protect sensitive data in accordance with the National Institute for Standards and Technology’s Identity Assurance Level 2. Officials charged with building the system neglected to use biometrics such as facial recognition, eye scans, or fingerprints to verify those seeking access to sensitive data, even though the standards were required for compliance. Officials opted to ignore the rules because they believed facial recognition technology might discriminate based on skin color.

A subsequent audit from the General Services Administration Inspector General found that senior officials ignored insiders who noted that the product was not truly secure and that the officials misled agencies into believing they were withdrawing a webcam security feature because of a new policy on equity.