The Consumer Financial Protection Bureau (CFPB) in the US has suffered a “major incident” after a former employee transferred personal and confidential data on about 256,000 people to their personal email account.
The CFPB says the employee had authorised access to the data, which contained personally identifiable information, including names and transaction-specific account numbers of customers from seven unnamed financial institutions. The former staffer forwarded two spreadsheets containing the bulk of the material to their personal email account in 65 emails.
It says the account numbers in the spreadsheets are used internally and cannot be used to access a consumer’s account. However, the CFPB is struggling to ensure that the ex-employee has deleted the data.
The CFPB has confirmed that it has found no evidence that indicates that the staffer further disseminated the confidential data after it was sent to their personal email account.
However, Republican politicians, including Rep. Patrick McHenry, chairman of the House Financial Services Committee, have raised concerns about how the bureau safeguards consumers’ personally identifiable information, and Rep. Bill Huizenga, chairman of the Oversight and Investigations Subcommittee for the House Committee on Financial Services, has requested a briefing from CFPB Director Rohit Chopra by April 25.
The CFPB is not the first organisation to experience a data breach caused by an employee. Insider threats are a growing concern, with companies looking at more effective ways to protect against them, including identifying anomalous behaviour and implementing access controls, such as limiting permissions to only those needed by an employee to do their job.
In some cases, organisations are also introducing behavioural monitoring software to detect patterns that could indicate a data breach.
