CFPB staffer forwarded data on 250K consumers to personal account

A now-former Consumer Financial Protection Bureau (CFPB) employee sent the personal information of over 250,000 individuals to their personal email account, the agency said, calling the privacy breach “completely unacceptable.”

The data sent by the employee, who was cleared to access the information in their day-to-day duties, included two spreadsheets with transaction-specific account numbers for around 256,000 individuals at a single institution, according to the CFPB. 

The bureau clarified that the account numbers were for internal use only, and couldn’t be used to access an individual’s personal accounts or bank account numbers. There was also no evidence that the information had been disseminated by the now-fired employee.

“The CFPB takes data privacy very seriously, and this unauthorized transfer of personal and confidential data is completely unacceptable,” the agency said in a statement to The Hill. “We have referred the matter to the Office of the Inspector General, and we are taking appropriate action to address this incident.”

The bureau said it has identified information that included customers of at least seven different institutions, but said the scale of the information breached for the other institutions is much smaller. The data from other firms included account numbers, loan numbers and demographic information.

After the bureau identified the incident, the person’s access to its network was blocked.

The agency also directed the former employee to delete all of the emails and confirm that they were deleted. However, they have not yet complied with that demand as of Wednesday.

Congress and other federal authorities have been made aware of the incident.