CFPB Employee Sends 256,000 Consumers' Data to Personal Email

Written by

An employee from the US Consumer Financial Protection Bureau (CFPB) has reportedly forwarded confidential records of roughly 256,000 consumers and confidential supervisory information of approximately 50 institutions to a personal email account.

Congressman Bill Huizenga addressed the claims in a letter to CFPB director, Rohit Chopra, dated April 18.

“At the time of your notification, you indicated that the investigation was ongoing. You explained that the employee is no longer employed by the agency and that the employee certified they deleted each email,” reads the missive. “However, many questions remain unanswered.” 

Huizenga also asked Chopra to provide a briefing to the committee staff by April 25 to help them “better understand the mitigation and remediation efforts,” as well as the scale of the breach and efforts made to give the appropriate notifications.

“It’s a relief to see that apparently this breach has been contained and that the individual that misused the customer info is now gone,” commented Pixel Privacy consumer privacy champion, Chris Hauk. “Hopefully, the CFPB canceled all of that employee’s access to their systems.”

According to Darren James, senior product manager at Specops, however, it is unclear from the letter whether the CFPB has done any subsequent threat intelligence analysis to see if this data has appeared elsewhere.

Read more on data breaches here: The LastPass Breaches: Password Managers in the Spotlight

“The CFPB has a lesson to learn here in responsible data handling,” James said. “Any training done has failed, and more emphasis should be made on Cyber Aware Training in the future to prevent poor security hygiene like this.”

Paul Bischoff, a privacy advocate with Comparitech, echoed James’s point, calling it “embarrassingly ironic” that the CFPB endangered consumers’ information.

“[Still], the breach was contained, and no one’s information appears to be at risk. I imagine CFPB staff will be attending a lot of meetings soon about how to properly handle data and workplace policy,” Bischoff concluded.

More information about employee training is available in this guide by Chrystal Taylor, senior technical product marketing manager at SolarWinds.

What’s hot on Infosecurity Magazine?