HQ/EMEAFind out how we can help your business
One of the Consumer Financial Protection Bureau (CFPB) employees sent confidential data of more than 250,000 consumers to its personal email account. About 14 of the emails contained consumers’ personally identifiable information.
The alleged rogue employee also sent a couple of spreadsheets that listed banks and transaction-specific account numbers related to the affected 250,000 consumer accounts of the financial institution.
Fortunately, Consumer Financial Protection Bureau only uses the numbers internally; hence, the employee could not use the exfiltrated number to acquire access to a consumer’s bank account.
CFPB is still trying to identify how the PII could be critical to the affected consumers.
CFPB stated that they have identified that the exposed data include the PII of the customers that belong to other multiple institutions. They are still investigating if the exposed PII could threaten the consumers.
The rogue employee who copied the emails no longer works for the CFPB. Additionally, the company revoked the rogue employee’s access to the company network. The investigation also revealed no evidence suggesting the employee sent the records to other emails.
The company also asked the employee to delete the emails and provide proof of the deletion, but it has yet to cooperate. The agency notified the Department of Homeland Security regarding the incident and contacted relevant authorities.
The Department of Homeland Security stated that unauthorised personal and confidential data transfer is unacceptable. CFPB employees are trained to uphold Federal law under Bureau regulations and safeguard every customer’s confidential and personal information as it is their responsibility.
The current investigation showed the personally identifiable information listed in the two spreadsheets holds essential data. In contrast, the other spreadsheet that contained PII of other institutions only contained a smaller amount of information.
CFPB stated that one institution only has two account numbers that do not have names. Furthermore, the institution also claimed 140 loan numbers on the transferred data and 100 of which are de-identified information related to the consumers.
