CFPB employee sent data of 250,000 customers to personal email

  • Source:

Treliant Takeaway:

Treliant’s Regulatory Compliance and Risk Management practices provide superior advisory services regarding regulatory and compliance issues. Whether you are a bank, credit union, fintech or an independent mortgage lender, we can help. Each engagement is staffed with deep subject matter professionals and customized to meet your needs.

Article Highlights:

In February, “a Consumer Financial Protection Bureau employee sent personally identifiable information linked to at least 256,000 consumers to a personal email account in a breach of the agency’s data protections.” The information included names and transaction-related numbers for 256,000 consumers at a single financial institution. They did not include bank accounts. Additional emails, about 14 of them, contained personally identifiable information at 7 financial institutions.

According to the CFPB, the employee no longer works for the Bureau and there is no indication that the data went beyond the employee personal account, however, the employee has not complied with the Bureau’s request for attestation that the emails have been deleted. The Bureau alerted Congress about the breach in March.

“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable. All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information,” a spokesperson said in a statement. “We have referred the matter to the Office of the Inspector General, and we are taking appropriate action to address this incident.”

Treliant Commentary:

CFPB’s data breach highlights the need for institutions to maintain an email monitoring solution that can track emails, both incoming and outgoing, and provide alerts for suspicious activities, including sending emails to personal accounts. According to Politico, the alleged perpetrator of the Bureau’s breach sent spreadsheets with the names and transaction-specific date to a personal account.[1] Email monitoring efforts could also include blocking attachments to externally sent emails and scanning emails and attachments for data that could be deemed confidential.

Maintaining a strong and robust information security and information technology environment is critical for continued compliance and success. Monitoring and testing should ensure that controls continue to work effectively and efficiently.


Ready to Talk?

We work with you to understand your needs, so we can tailor our approach to your engagement. Learn more when you connect with our team.