A Consumer Financial Protection Bureau employee forwarded to a personal email account confidential information on thousands of consumers and dozens of financial firms, in what the agency has described to U.S. lawmakers as a major incident.
The employee, who no longer works at the CFPB, made an unauthorized transfer of records containing personal information on approximately 256,000 consumers at one institution, as well as confidential supervisory information on 45 institutions, a CFPB spokesman said. There is no evidence the records were shared beyond the former employee’s personal email account, the spokesman said.
While most of the personal information was tied to consumers at one institution, the emails included information on consumers from seven firms, the CFPB spokesman said. The CFPB hasn’t publicly identified the firms involved in the breach or the former employee who made the transfers.
Agency officials notified lawmakers about the incident on March 21, but they haven’t discussed it publicly. The incident hasn’t previously been reported. The CFPB hasn’t said why the employee forwarded the data.
The incident appears to be more limited in scope than some previous government-data breaches, such as when hackers stole the records of more than 20 million people from the servers of the Office of Personnel Management as part of at least two cyberattacks in 2014. Top White House and administration officials in the past have come under scrutiny for using personal email accounts for work.
Republican lawmakers are pressing CFPB Director Rohit Chopra for more details, saying many questions about the incident remain unanswered.
“This breach raises concerns with how the CFPB safeguards consumers’ personally identifiable information,” said Rep. Patrick McHenry (R., N.C.), chairman of the House Financial Services Committee.
The CFPB spokesman played down the severity of the breach, saying the personal information is largely limited to two spreadsheets with names and transaction-specific account numbers used internally by the financial institution. They don’t include the consumers’ bank account numbers and can’t be used to access a consumer’s account, the spokesman said.
The agency asked the former employee to delete the emails from his or her personal account and to “certify” and “provide attestation” that each email was deleted. As of Wednesday, the former employee hasn’t complied with these demands, the CFPB spokesman said.
A spokeswoman for Sen. Sherrod Brown (D., Ohio), who heads the Senate Banking Committee, said the bureau “followed protocols by notifying relevant committees of the breach” and has referred the matter to a government watchdog. “It would be irresponsible to speculate or jump to conclusions,” the spokeswoman said.
The incident is likely to renew Republican complaints about the bureau’s efforts to collect consumer data on credit cards and mortgages through its disclosure rules, consumer complaint database and enforcement actions. They say such actions threaten privacy and information security.
“Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers, when they themselves have demonstrated an irresponsible handling of consumers’ financial information?” said Sen. Tim Scott of South Carolina, the top Republican on the Senate banking panel.
Financial regulators collect confidential information on the banks and other financial firms they supervise. They have access to so-called personally identifiable information that can be linked to the individual consumers of those institutions. Though the former employee had access to the confidential data as part of his or her job, officials are generally prohibited from transmitting these records from a government email account to a personal account.
In notifying lawmakers about the incident last month, consumer bureau officials said they became aware of the potentially inappropriate use of a personal email account on Feb. 14, people familiar with the matter said. A subsequent review found roughly 65 emails, some with attachments, that contained confidential supervisory information. Of those, about 14 emails contained personally identifiable information, or PII, about consumers.