CFPB says employee breached data of 250,000 consumers in ‘major incident’

CFPB spokesperson Sam Gilford said the bureau has referred the matter to the inspector general and is “taking appropriate action to address this incident.”

WASHINGTON, DC - DECEMBER 15: Consumer Financial Protection Bureau Director Rohit Chopra testifies before the Senate Banking, Housing and Urban Affairs Committee in the Dirksen Senate Office Building on Capitol Hill on December 15, 2022 in Washington, DC. Chopra delivered the CFPB's semi-annual report to Congress. (Photo by Chip Somodevilla/Getty Images)

Republican lawmakers requested briefings from CFPB Director Rohit Chopra on a data breach of 256,000 consumer accounts at a single institution. | Getty Images

The CFPB said an employee forwarded the personal information of more than a quarter-million consumers to a personal email account, an incident that the bureau described as a “major” breach.

The employee, who was fired when the data breach came to light, sent spreadsheets with names and transaction-specific account numbers related to those 256,000 consumer accounts at a single institution, according to the bureau. The CFPB did not identify the now former employee.

Republican lawmakers requested briefings from consumer bureau Director Rohit Chopra on the matter.

“This breach raises concerns with how the CFPB safeguards consumers’ personally identifiable information,” House Financial Services Chair Patrick McHenry said in a statement. “Republicans will ensure any bad actors are held accountable.”

CFPB spokesperson Sam Gilford said the bureau has referred the matter to the inspector general and is “taking appropriate action to address this incident.”

“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable,” Gilford said. “All CFPB employees are trained in their obligations under bureau regulations and Federal law to safeguard confidential or personal information.”

Agency staff told lawmakers they had learned of the breach on Feb. 14 in an email notifying them about the “major incident” that they sent on March 21.

The Wall Street Journal earlier reported the story.

Rep. Bill Huizenga (R-Mich.), chair of the Financial Services Committee’s investigations panel, asked for a briefing no later than April 25 on the “mitigation and remediation efforts, the scale of the breach, as well as efforts made to give the appropriate notifications” in a letter to Chopra Tuesday.

“My understanding is that the transfer of records could have possibly implicated more than 50 financial institutions’ sensitive information,” Huizenga wrote. “If these facts prove to be true, the effects could be widespread and injurious.”

Sen. Tim Scott (R-S.C.), the top Republican on the Senate Banking Committee, also pressed Chopra for details Wednesday in a letter requesting his own briefing by May 8.

Scott said the agency’s recent rule requesting small business lending data — including personally identifiable information — is “highly concerning given that the CFPB has provided limited insight to Congress into the CFPB’s data management practices and efforts to ensure the privacy of consumer and small business data.”

A spokesperson for Senate Banking Chair Sherrod Brown said the agency “followed protocols” by notifying congressional oversight committees.

“The CFPB has taken every step required of the agency, and any wrongdoers must be held accountable for misconduct,” Brown spokesperson Alysa James said.