Major US CFPB Data Breach Caused by Employee
The sensitivity of the personal information involved in the breach has yet to be determined by agency officials, but it affects 256,000 consumers.
The Consumer Financial Protection Bureau (CFPB), an agency of the US government that protects consumers in the financial sector, announced that an employee committed a major breach in emailing the personal information of 256,000 consumers to a personal email account.
In briefings between lawmakers and the consumer bureau director, Rohit Chopra, the agency staff informed elected officials that they first learned of the breach on Feb. 14. Chair of the Financial Services Committee's investigation panel on the matter, Rep. Bill Huizenga, stated in a letter to Chopra that "the transfer of records could have possibly implicated more than 50 financial institutions' sensitive information" and requested a briefing before a deadline of April 25.
The employment of the individual who committed the breach has been terminated by the agency, and the person has been asked to delete the emails and provide proof of such, though the person has yet to comply with these requests.
"This unauthorized transfer of personal and confidential data is completely unacceptable. All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information," the agency stated.
At this time, the agency has identified that the information included in the breach involves personal identifiable information (PII) of customers from seven institutions, though they are not yet sure of the degree of sensitivity of the PII and are still assessing the level of risk to the consumers involved.
"Unfortunately, this is an example of clumsy handling of sensitive data. Even if there was no ill intent by the individual concerned there are still huge risks to data privacy whether the email was encrypted, who else has access to that email account, and whether there's a strong password or MFA enabled on the personal email account," Darren James, senior product manager with Specops Software, said in an emailed statement. "The CFPB has a lesson to learn here in responsible data handling. Any training done has failed and more emphasis should be made on Cyber Aware Training in the future to prevent poor security hygiene like this instance."
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024