The Consumer Financial Protection Bureau is currently investigating a data breach involving the confidential records of 256,000 consumers.
According to the Wall Street Journal, the breach came when a staffer at the agency emailed those confidential records, which belonged to customers of one institution, to a personal email account. That staffer also took the confidential supervisory information on 45 other institutions. According to the CFPB, that staffer no longer works for them, but it is currently unclear what damage may have been done.
More from the WSJ:
While most of the personal information was tied to consumers at one institution, the emails included information on consumers from seven firms, the CFPB spokesman said. The CFPB hasn’t publicly identified the firms involved in the breach or the former employee who made the transfers.
Agency officials notified lawmakers about the incident on March 21, but they haven’t discussed it publicly. The incident hasn’t previously been reported. The CFPB hasn’t said why the employee forwarded the data.
The incident appears to be more limited in scope than some previous government-data breaches, such as when hackers stole the records of more than 20 million people from the servers of the Office of Personnel Management as part of at least two cyberattacks in 2014. Top White House and administration officials in the past have come under scrutiny for using personal email accounts for work.
The CFPB first became aware of the email transfers back in February. While investigating the breach, they found 65 emails with “confidential supervisory information” and 14 emails with personally identifiable information about consumers.
Republicans, who are already critical of the agency, have been outspoken in their condemnation of the breach and the agency’s data collection efforts.
“This breach raises concerns with how the CFPB safeguards consumers’ personally identifiable information,” House Financial Services Committee chairman Rep. Patrick McHenry said.
Sen. Tim Scott, the top Republican on the Senate Banking Committee echoed those thoughts. “Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers, when they themselves have demonstrated an irresponsible handling of consumers’ financial information?” he asked.
The CFPB has been pushing for new rules and powers to collect data, including:
- Registry to Detect Repeat Offenders
- Rule to Create a New Data Set on Small Business Lending in America
- Rule to Establish Public Registry of Terms and Conditions in Form Contracts That Claim to Waive or Limit Consumer Rights and Protections
But those efforts have Republicans worried, and the February breach shows that the threat isn’t necessarily from hackers seeking private information, but from staffers within the agency – and possibly those with a political agenda.
With as much information as the CFPB intends to collect, politicians who have been critical of the agency have even more incentive to continue going after it. Sen. Ted Cruz of Texas has repeatedly pushed a bill to eliminate the CFPB, and Rep. Blaine Luetkemeyer of Missouri is threatening to push for the agency to be made accountable and not leave it as a standalone agency.
What’s more, the CFPB appears to be not just expanding its data collection efforts, but also its reach into other domestic issues.
The Wall Street Journal also notes how the agency has begun targeting a company called Townstone not because of any issues with current consumers, but because of statements the company’s owner made on a radio program.
The CFPB accuses Townstone owner Barry Sturner and others affiliated with the company of making “statements that would discourage African-American prospective applicants from applying for mortgage loans.” The suit, filed in 2020, doesn’t provide any concrete examples of consumers that Townstone has allegedly mistreated. Rather, the CFPB points to a handful of statements Mr. Sturner and other company officials made over a four-year period on the Townstone Financial Show—a weekly radio program and podcast. These statements, according to the regulatory behemoth, discourage “prospective applicants, on the basis of race, from applying for credit.”
The CFPB’s action against Townstone is concerning for many reasons. Chief among them is the lawsuit’s blatant attempt to apply antidiscrimination laws to speech made to a general audience in a mass-media venue rather than to individual customers or employees in a workplace. The Pacific Legal Foundation, a public-interest law group representing Townstone, warns in a legal brief that this approach to enforcement “would arrogate to the CFPB the authority to censor speech.”
This goes well beyond the scope of any power the agency had ever been granted and is once again a sign that it does need to be reined in.
How can an agency push for increased data collection efforts and within three weeks see an employee steal the information of a quarter of a million consumers and face no consequences? How can an agency of the government pursue a business owner in a way that’s clearly a violation of the First Amendment? It’s clear that the Consumer Financial Protection Bureau has exceeded its authority, and Congress must act.