In Case You Didn’t Hear

A former employee of the Consumer Finance Protection Bureau (CFPB) sent confidential consumer data to approximately 256,000 people to their personal email accounts in what the agency described as a “major incident.”

The data -which the CFPB says the former employee had authorized access to – included personally identifiable information, such as names, and transaction-specific account numbers of consumers from seven institutions. The CFPB did not name the institutions used by customers impacted by the breach.

The Wall Street Journal reported that bureau officials became aware of the potentially inappropriate use of a personal email account on February 14th and the agency notified lawmakers about the incident on March 21st.

The matter has been referred to the Office of the Inspector General and appropriate action is being taken to address this incident. The CFPB says it has found no evidence that indicates that the staffer further disseminated the confidential data after it was sent to their personal email accounts. But the former employee has refused to provide evidence to the agency that proves material has been deleted.

One congressman weighed in on this issue stating” the breach raises concerns with how the CFPB safeguards consumers’ personally identifiable information while, yet another sent a letter to CFPB Director Rohit Chopra with concerns that the effect of the breach, “could be widespread and injurious.”

To better understand the mitigation and remediation efforts, the scale of the breach, as well as efforts made to give the appropriate notifications, the CFPB has been requested to provide a briefing to the Oversight and Investigations Subcommittee for the House Committee on Financial Services no later than April 25, 2023.

We at SCA will continue to monitor this story and keep you apprised of any new developments that will be forthcoming.