About 1,000 records of data containing Americans’ financial and personal information may have been hacked after breaches of the federal Consumer Financial Protection Bureau, officials say.
“I am absolutely concerned about the exposure of our data in this rogue agency that has no responsibility to this Congress,” @SenDavidPerdue says.
The CFPB, the government agency created by the Dodd-Frank bill that grew out of the financial crisis in 2008, scoops up information that includes Social Security numbers, loan data, credit scores, employment records, phone numbers, and addresses.
Of the 1,000 records at issue, some are suspected of having been hacked, others definitely were.
“Even if the CFPB’s computers are no more hackable than other government agencies, some of the data it collected—from banks and credit card companies—is more sensitive and more harmful to consumers if stolen,” Ronald L. Rubin, a former enforcement lawyer for the agency who also was a chief adviser on regulatory policy for the House Financial Services Committee, told The Daily Signal.
CFPB acting Director Mick Mulvaney told the Senate Banking, Housing, and Urban Affairs Committee earlier this month that the agency documented 240 hacks into data and another 800 suspected breaches.
“It could be a lot of different things, yes. Including those,” Mulvaney, also director of the Office of Management and Budget, told Sen. David Perdue, R-Ga., a committee member who asked whether the data included all banking information and Social Security numbers.
Mulvaney later added: “Everything we keep is subject to being lost.”
In late November, President Donald Trump named Mulvaney as acting CFPB director after Richard Cordray, the agency’s first director, resigned to run as a Democrat for Ohio governor.
In December, Mulvaney announced plans to halt the agency’s collection of personal data because of cybersecurity problems. At the April 12 Senate hearing, however, Mulvaney explained the depth of the problem and how many financial records were at risk.
Perdue said he wants to revisit the security issue.
“I would like to propose a follow-up meeting about this because I am absolutely concerned about the exposure of our data in this rogue agency that has no responsibility to this Congress,” Perdue said during the hearing. “I’m very concerned about the security of our financial information that nobody in my state really understands the CFPB is collecting.”
However, Sen. Elizabeth Warren, D-Mass., who conceived the agency before she was elected to the Senate, strongly objected to stopping the data collection. In a Jan. 4 letter to the agency, she wrote: “CFPB cannot fulfill its core functions without collecting personally identifiable information.”
A 2015 report by the Federal Reserve Bank’s inspector general warned against sharing massive databases of private information with outside contractors. The report found that collection of credit card information fell short of cybersecurity safeguards, using outdated encryption to secure the information.
However, another inspector general’s report last year found some improvement, showing that the security program was operating at a “consistently implemented” level, but should “mature” to a “managed and measurable” level.
The Government Accountability Office found in 2014 that the CFPB “has not yet fully implemented a number of privacy control steps and information security practices, which could hamper the agency’s ability to identify and monitor privacy risks and protect consumer financial data.”
Rubin, the former lawyer at the agency, contends in a HousingWire op-ed that the agency wasn’t always entirely forthcoming with the inspector general under Cordray’s leadership.
“Before Mr. Mulvaney took over, the CFPB played hide-the-ball when its inspector general and Congress were investigating problems like inadequate data security,” Rubin told The Daily Signal.
Cyber vulnerabilities are not unique to the consumer agency, said David Inserra, cybersecurity policy analyst for The Heritage Foundation.
“Most of the focus has been on private sector data breaches such as Equifax,” Inserra told The Daily Signal.
But, he said, in recent years hackers breached both the Internal Revenue Service, which also holds vast amounts of personal financial data on taxpayers, and the Office of Personnel Management, which holds information on every federal employee.
One means of fighting hackers would be to allow victims of breaches to digitally track them and report information to law enforcement, Inserra said, but such “active cyberdefense” is not permitted under various federal and state laws. So the tactic would take an act of Congress.
“The solution is not throwing more security standards and government regulations at this,” Inserra said. “We see the government is not the entity that should be setting these rules, because the government has plenty of its own failures. The CFPB has Social Security numbers, banking information; this is serious stuff to lose. It should have policymakers responding as to whether government is equipped to safeguard data.”