The Consumer Financial Protection Bureau (CFPB) data breach occurred in March 2023 at the US Consumer Financial Protection Bureau.[1] [2]
The Consumer Financial Protection Bureau (CFPB) experienced a significant security breach when a former employee transferred confidential information on approximately 256,000 consumers and forty-five financial institutions to their personal email account.[3] [4] The unauthorized transfer involved data from seven firms, though the majority of the consumer information came from one institution.[3] The data was sent over fourteen emails and it contained personally identifiable information (PII) of consumers.[5] The employee also sent two spreadsheets with names and transaction-specific account numbers for about 256,000 consumer accounts at a single institution.[5] Neither the firms nor the employee have been publicly identified.[3]
The CFPB first became aware of abuse on 14 February 2023.[1] [4] They informed U.S. lawmakers of the incident on March 21, but it was not made public until April 24th.[3] [4] [6] Shortly following the data breach, Senator Cruz and Rep Donalds authored a bill seeking to eliminate the CFPB.[7]
In response to the 2023 data breach, the Southwest Public Policy Institute (SPPI) established the Bureau to Protect Financial Consumers (BPFCCFPB) to advocate for better oversight and protection of consumer data.[8] The Institute claims this initiative reflects broader concerns about data security and management practices within governmental consumer protection agencies.