Consumer Financial Protection Bureau logo (image source: CFPB, n.d.)
One-sentence summary:
A CFPB employee breached the sensitive data of over 256,000 consumer accounts and 45 financial institutions by forwarding the data to their personal email.
Who was involved?
CFPB (Consumer Financial Protection Bureau), a CFPB employee, and 256,000 consumers (and, potentially, 45 financial institutions).
What was the timeline?
February 14, 2023: CFPB learns of the data breach
March 21, 2023: CFPB notifies Congress of the breach
April 19, 2023: Sen. Tim Scott requests information from the CFPB
May 8, 2023: Deadline given for CFPB to respond
What occurred?
A CFPB employee forwarded the sensitive data of over 256,000 consumer accounts and “45 financial institutions” to their personal email (Pymnts, 2023). The CFPB Office of Inspector General (OIG) is currently investigating the incident (Pymnts, 2023). The employee was terminated after the breach was discovered (O’Donnell, 2023). The former employee is also alleged to have not deleted the sensitive data (Pymnts, 2023).
Estimated costs:
TBA
Involved laws:
TBA
Root cause:
Insider: employee
Lessons learned:
DLP (Data Loss Prevention) technologies are of substantial importance when planning and responding to potential insider threats. Email DLP solutions can proactively detect and prevent breaches similar to these by stopping the breach at the mail gateway and quarantining affected data. It is going to be interesting to see how the breach was able to occur with these potential controls in place since the size was so large.
Example DLP Solutions:
Proofpoint Email DLP: https://www.proofpoint.com/us/products/information-protection/email-dlp
Armorblox Email DLP: https://www.armorblox.com/learn/email-dlp/
Mimecast Email DLP: https://www.mimecast.com/content/email-data-loss-prevention/
Forcepoint Email DLP: https://www.forcepoint.com/product/dlp-cloud-email
Sources:
CFPB. (n.d.). logo_open-graph_facebook.d0dedfbe1787.png. consumerfinance.gov. https://www.consumerfinance.gov/static/img/logo_open-graph_facebook.d0dedfbe1787.png
O’Donnell, K. (2023, April 19). CFPB says employee breached data of 250,000 consumers in ‘major incident.’ POLITICO. Retrieved April 20, 2023, from https://www.politico.com/news/2023/04/19/cfpb-employee-consumer-data-breach-00092919
Pymnts. (2023, April 20). CFPB Data Breach Exposes Data of 250,000 Consumers and 45 Banks. PYMNTS.com. https://www.pymnts.com/news/cfpb/2023/cfpb-suffers-data-breach-involving-consumers-and-financial-institutions/
Commentary:
This report will be updated after the Congressional testimony is made by the CFPB.
