Congressional lawmakers are seeking answers from the Consumer Financial Protection Bureau on a data breach involving personal account information.
The data breach, first reported by the Wall Street Journal, was reportedly initiated by a former CFPB employee, who forwarded personal information on 256,000 consumers and confidential information on 45 financial institutions to a personal email account.
The Journal report said there is no evidence the employee shared the data with anyone else, adding that the data can’t be used to access bank accounts.
“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable. All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information. We have referred the matter to the Office of the Inspector General, and we are taking appropriate action to address this incident,” the bureau said in a statement to PYMNTS.
U.S. Sen. Tim Scott (R-SC) has requested a briefing on the matter from the CFPB Director Rohit Chopra concerning a breach of sensitive data.
“This data breach is an egregious lack of oversight by the CFPB. It is no secret that Director Chopra wants to collect more and more data in order to push out progressive regulations. Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers when they themselves have demonstrated an irresponsible handling of consumers’ financial information. This is particularly concerning in the face of the failures of SVB and Signature Bank. Our regulators and agencies need to take responsibility for their failures and must be held accountable,” Scott, ranking member of the Senate Committee on Banking, Housing, and Urban Affairs, wrote in a letter to Chopra.
U.S. Rep. Bill Huizenga (R-MI), chair of the Financial Services Subcommittee on Oversight and Investigations, is also demanding a briefing before his subcommittee.
“On March 21, 2023, your staff informed the House Committee on Financial Services about a ‘major incident’ in which an employee of the Consumer Financial Protection Bureau (CFPB) made an unauthorized transfer of records containing personally identifiable information (PII) and confidential supervisory information (CSI) to a personal email account. Alarmingly, the transfer included 65 emails, including attachments and names and account numbers of approximately 256,000 consumers. My understanding is that the email could have possibly implicated more than 50 financial institutions. If these facts prove to be true, the effects could be widespread and injurious,” Huizenga wrote to Chopra. “At the time of your notification, you indicated that the investigation was ongoing. You explained that the employee is no longer employed by the agency and that the employee certified they deleted each email. However, many questions remain unanswered.”
He is seeking a briefing to better understand the mitigation and remediation efforts, the scale of the breach, as well as efforts made to give the appropriate notifications. Huizenga requested a briefing by April 25.