(AP Photo/Jacquelyn Martin, File)
The Consumer Financial Protection Bureau revealed to lawmakers that one of their own employees had stolen the private data of over a quarter million consumers and the details of dozens of financial firms. That news has finally come to light for the general public as well, with plenty of lawmakers asking questions in the aftermath.
But, some questions remain. Who was the data thief (calling it a “data breach” is simply dishonest – this was someone who emailed themselves private information on hundreds of thousands of people), and do the victims know their private data was stolen?
The CFPB has been forthcoming on some of this, while silent on the rest – particularly when it comes to protecting their data collection efforts.
Who Is the Thief?
According to Law360, the CFPB data thief is someone who routinely looked at sensitive financial information. That employee, a bank examiner, copied their own personal email address in an email with a colleague that contained the data. That colleague, in turn, recognized that as a clear violation of protocol and reported it.
The CFPB publicly acknowledged this past week that an unnamed staffer was found to have mishandled agency records by emailing them to a personal inbox, a breach that the agency became aware of in February and notified lawmakers about last month, describing it as a “major incident.”
The staffer, who is no longer employed at the agency, forwarded confidential supervisory information on 45 financial institutions as well as personally identifiable information, including two spreadsheets with names and transaction-specific account numbers for more than 250,000 consumer accounts at one institution.
Although the staffer reportedly had access to this material for work, the nature of this work hasn’t previously been clear. But a CFPB spokesperson told Law360 on Friday that the individual was an examiner working in supervision, which routinely deals with sensitive information on financial institutions and their customers as part of the exam process.
The bank examiner is no longer with the CFPB, but we don’t know if the stolen data was recovered (or destroyed) before it could be spread. For its part, the CFPB has referred the matter to its Office of Inspector General. But, as Law360 notes in another story on this data theft, the whole matter raises far more questions than it does answers.
Of the sensitive material forwarded by the examiner, for example, the agency has said the consumer-linked data was found overwhelmingly in just two spreadsheets and doesn’t appear to have gone further than the staffer’s personal inbox.
The CFPB has also defended its handling of the incident as by the book, maintaining that it alerted the proper oversight authorities once it realized what had happened and has since reached out to affected financial institutions as well.
Why was sensitive data of that type stored in an easily-accessed spreadsheet and why was it so easy to transfer it out? What type of information is on that spreadsheet and why does the CFPB need it?
As previously mentioned, plenty of lawmakers have raised questions about this data collection effort.
“This breach raises concerns with how the CFPB safeguards consumers’ personally identifiable information,” House Financial Services Committee chairman Rep. Patrick McHenry said.
“Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers, when they themselves have demonstrated an irresponsible handling of consumers’ financial information?” Sen. Tim Scott asked.
CFPB Silent to Consumers
It took a month from lawmakers being told to the American public being told when the story was originally disclosed to the Wall Street Journal.
And the CFPB continues to remain silent, not telling the consumers or the firms who were affected that their data was stolen.
“To sit on it for this long, and to withhold from both consumers and the affected firms that this happened and then simply dismiss it was anything important and don’t worry about it — it is hard to imagine the CFPB would be okay if some private company did that,” said Todd Zywicki, a law professor at George Mason University and senior fellow at the Cato Institute. “I know I have in the past gotten data breach notifications even where there was no evidence of any actual harm, just to alert me that it had happened.”
Banks typically must report an outage or security breach within 36 hours of the incident being detected to their primary regulator — either the Federal Deposit Insurance Corp., the Federal Reserve or the Office of the Comptroller of the Currency — under a Biden administration rule that went into effect last year. The reporting requirements also cover tech vendors of banks that are affected by cybersecurity incidents.
The CFPB said the personal identifiable information on 256,000 consumers primarily included names and transaction-specific account numbers used internally by a financial institution. The data could not be used to gain access to a consumer’s bank account, the bureau said.
The CFPB is not following the guidelines that are set up for banks, who (as mentioned above) have to quickly divulge a data leak to customers. But the agency does not hold itself to that standard, despite the amount of data that they collect.
More than a month after it was disclosed to lawmakers – not from when it happened, but when it was disclosed – and consumers still have not been told that their data was stolen. That presents a huge problem for consumers, who have little recourse because it’s not a bank that can be punished, but a government agency that is not accountable to anyone.
It’s not clear if there is any possible recourse if that sensitive information did manage to go beyond that one former employee.
“Acted in Accordance With All Relevant Laws”
“The CFPB takes data privacy very seriously and has acted in accordance with all relevant laws and requirements in its response to this incident, including reporting requirements,” the agency’s spokesperson said.
But therein lies the problem: The agency followed all the protocols when they discovered the breach. But what, if any, protocols were in place to prevent it, and how do they make sure those protocols are followed? Those are the questions that need to be asked and answered.