Major US CFPB Data Breach Caused by Employee

The sensitivity of the personal information involved in the breach has yet to be determined by agency officials, but it affects 256,000 consumers.

Dark Reading Staff, Dark Reading

April 20, 2023

2 Min Read
a blue, digital image of zeros and ones forming a series of locks with a broken, red lock at the forefront.
Source: Nico El Nino via Alamy Stock Photo

The Consumer Financial Protection Bureau (CFPB), an agency of the US government that protects consumers in the financial sector, announced that an employee committed a major breach in emailing the personal information of 256,000 consumers to a personal email account.

In briefings between lawmakers and the consumer bureau director, Rohit Chopra, the agency staff informed elected officials that they first learned of the breach on Feb. 14. Chair of the Financial Services Committee's investigation panel on the matter, Rep. Bill Huizenga, stated in a letter to Chopra that "the transfer of records could have possibly implicated more than 50 financial institutions' sensitive information" and requested a briefing before a deadline of April 25.

The employment of the individual who committed the breach has been terminated by the agency, and the person has been asked to delete the emails and provide proof of such, though the person has yet to comply with these requests.

"This unauthorized transfer of personal and confidential data is completely unacceptable. All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information," the agency stated.

At this time, the agency has identified that the information included in the breach involves personal identifiable information (PII) of customers from seven institutions, though they are not yet sure of the degree of sensitivity of the PII and are still assessing the level of risk to the consumers involved.

"Unfortunately, this is an example of clumsy handling of sensitive data. Even if there was no ill intent by the individual concerned there are still huge risks to data privacy whether the email was encrypted, who else has access to that email account, and whether there's a strong password or MFA enabled on the personal email account," Darren James, senior product manager with Specops Software, said in an emailed statement. "The CFPB has a lesson to learn here in responsible data handling. Any training done has failed and more emphasis should be made on Cyber Aware Training in the future to prevent poor security hygiene like this instance."

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights