An employee of the Consumer Financial Protection Bureau was fired after the confidential user data of nearly 256,000 people was sent to their personal email accounts in what the agency described as a “major incident.”
The data — which the CFPB says the former employee gained authorized access to — included personally identifiable information such as the names and transaction-specific account numbers of users from seven organizations.
The CFPB did not name the organizations used by customers affected by the breach.
According to the agency, much of the material was contained in two spreadsheets that staff sent to a personal email account. In total, the employee sent himself 65 emails.
The CFPB noted that the account numbers in the spreadsheets are used internally by the agency and are not bank account numbers and cannot be used to gain access to a user’s account.
The The Wall Street Journal reports that bureau officials became aware of the potentially inappropriate use of a personal email account on February 14, and that the agency notified lawmakers of the incident on March 21.
The agency says it fired the employee after learning of the incident.
“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable,” an agency spokesperson said in a statement to the Post.
“All CFPB employees are trained in the protection of confidential or private information in the Bureau’s regulations and their responsibilities under federal law. We have referred this matter to the Office of the Inspector General, and we are working to resolve this incident.” Appropriate action is being taken,” the spokesperson added.
The CFPB says it has found no evidence indicating that the employee further disseminated the confidential data after it was sent to their personal email account.
But the former employee has refused to provide the agency with evidence that proves the material was deleted.
House Financial Services Committee Chairman Rep. “This breach raises concerns about how the CFPB protects consumers’ personally identifiable information,” Patrick McHenry (R-NC) told the Wall Street Journal on Wednesday.
Rep. Bill Huizenga (R-Mich.), chairman of the Oversight and Investigations Subcommittee for the House Committee on Financial Services; A letter has been sent to CFPB Director Rohit Chopra Tuesday with concerns that the effects of the breach “could be widespread and damaging.”
“Many questions remain unanswered,” Huizenga wrote. “In order to better understand the mitigation and remediation efforts, the scale of the violation, as well as efforts to provide adequate information, please provide a briefing to the Committee staff as soon as possible but no later than April 25, 2023. .”
