A Consumer Financial Protection Bureau (CFPB) employee forwarded records containing personal information on approximately 256,000 consumers at one financial institution, as well as confidential supervisory information at 45 other institutions, to a personal email address, the Wall Street Journal reported.
The agency, already under fire by Republican lawmakers, described the breach to Congress as a major incident.
While most of the personal information was tied to consumers at one unidentified institution, the emails included information on consumers from seven firms, a CFPB spokesperson told the Journal.
The incident was first spotted by the agency in February and disclosed to lawmakers on March 21, the Journal reported. The CFPB did not say why the employee – who has since been terminated – forwarded the emails to a personal account.
The CFPB downplayed the severity of the data beach, stating that the personal information contains two spreadsheets with names and transaction-specific account numbers used internally by the financial institution. The spreadsheets don’t include the consumers’ bank account numbers and can’t be used to access a consumer’s account, the spokesman said.
The former CFPB staffer as of Wednesday had not complied with a request to delete the emails.
Republican lawmakers seized on the data breach, issuing statements that implored Director Rohit Chopra to release more details.
“Why should the CFPB be trusted to collect more data, burdening financial institutions and potentially limiting services for consumers, when they themselves have demonstrated an irresponsible handling of consumers’ financial information?” said Sen. Tim Scott of South Carolina, the top Republican on the Senate banking panel.
Much of the mortgage industry would be glad to see the regulator taken down a peg. The CFPB, which regulates independent mortgage banks and so-called “fintechs,” has been a thorn in the side of lenders and servicers since its formation following the Great Financial Crisis.
Under Chopra, the CFPB has stepped up enforcement actions against the mortgage industry, which has increased compliance costs. Mortgage Bankers Association president and CEO Bob Broeksmit in October described the agency as “judge, jury and executioner, all in one.”
He called for the agency to “establish clear and consistent standards, providing the opportunity for notice and comment when enacting rules. Unfortunately, the Bureau isn’t always abiding by this commonsense system, announcing new legal obligations without formal process or deliberation, enforcing novel and untested legal theories, and making it very difficult for firms to understand their legal obligations.”
The agency is also fighting constitutional challenges on several fronts. The Supreme Court is expected to hear a case that will determine the agency’s funding structure, by which it receives funding through the Fed rather than appropriations legislation passed through Congress.
A panel of Trump-appointed judges on the Fifth Circuit U.S. Court of Appeals in 2022 determined that the agency’s funding source is unconstitutional. In a separate case, the Second Circuit U.S. Court of Appeals, comprising the districts of Connecticut, New York and Vermont, decided in March that the funding provisions for the CFPB are constitutional.