PYMNTS-MonitorEdge-May-2024

CFPB Data Breach Exposes Data of 250,000 Consumers and 45 Banks

The Consumer Financial Protection Bureau (CFPB) has told lawmakers that it suffered a data breach.

A CFPB employee, who no longer works there, forwarded to a personal email account personal information on 256,000 consumers and confidential supervisory information on 45 financial institutions, The Wall Street Journal (WSJ) reported Wednesday (April 19).

The CFPB notified lawmakers about the breach on March 21, describing it as a “major incident,” but has not publicly identified the employee, the firms whose information was forwarded or the reason the employee transferred the data, according to the report.

Reached for comment by PYMNTS, a CFPB spokesperson provided an emailed statement: “The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable. All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information. We have referred the matter to the Office of the Inspector General, and we are taking appropriate action to address this incident.”

A CFPB spokesperson told the WSJ that there is no evidence the employee shared the data with anyone else and that the data can’t be used to access consumers’ bank accounts.

The spokesperson also said the CFPB asked the former employee to delete the emails and to “provide attestation” that they had done so, but that the person has not complied, according to the report.

The breach is likely to bolster complaints about the CFPB’s efforts to collect consumer data, as Republican lawmakers have already said these efforts threaten privacy and data security, the report said.

Republicans are also asking the CFPB for more information about the breach, saying there are details that have not been shared with them, per the report.

This incident comes about nine months after the CFPB handed down new data privacy and cybersecurity regulations to dictate how companies can use and share credit reports under the Fair Credit Report Act.

Credit reporting companies and users of credit reports “have specific obligations to protect the public’s data privacy” and there is “potential criminal liability for certain misconduct,” the CFPB said in a July press release.

PYMNTS-MonitorEdge-May-2024