The Consumer Financial Protection Bureau (CFPB) is in the hot seat this week after it came to light an employee forwarded the sensitive data of over 250,000 consumers to their personal email account.
But this wasn’t just an isolated incident. The employee responsible exfiltrated sensitive information numerous times, sending over 60 emails to his personal account without raising the alarm.
Here’s everything you need to know.
Breakdown of the CFPB insider breach
The CFPB centers around a former–now fired–employee, who downloaded two spreadsheets with personally identifiable information like names and transaction-specific account numbers relating to 256,000 consumer accounts at seven institutions and confidential supervisory information at 45 other institutions.
The employee managed to share this information with his personal email account, sending himself 65 emails with sensitive data attached unnoticed.
In fact, the body only caught on to something suspicious after a member of the former employee’s team noticed the perpetrator had copied their personal email address into work correspondence, which is against company policy.
The colleague flagged the issue internally and the CFPB began looking at the former employee’s email communications. When they did, they found the email chains, fired the employee and began an internal investigation.
This all happened around February 14. It was over a month later, on March 21, that the agency notified lawmakers about the incident.
The CFPB’s reasoning for this lag is the time it took the body to conduct an in-depth review. It explained:
“After an initial review more in depth reviews were needed to understand the data itself. It was during this review that CFPB staff identified the volume of PII in one email’s attachments and understood the scope of the incident.”
“Once discovered, the CFPB acted swiftly, convening a response team on the same day, and making the major incident determination the following morning (Friday, March 17).”
Currently the investigation into the incident is still ongoing, although the CFPB is attempting to reassure the public by reinforcing it found no evidence the ex-employee shared the sensitive information with any third parties. At the same time, though, the former employee is refusing to share evidence that the material has been deleted.
“The CFPB has directed the former employee to delete the emails from their personal account, certify that each email was deleted, and provide attestation once those actions were completed. The former employee has not complied with this demand,” a CFPB spokesperson said.
What next?
As is required by law, the CFPB has shared information about the breach to the Office of Inspector General (OIG), Congress, the Department of Homeland Security/Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget, and the Financial and Banking Information Infrastructure Committee.
Lawmakers, however, are extremely concerned about the incident, with multiple officials making requests for an official briefing with the CFPB to better understand what happened and the possible ramifications.
“If these facts prove to be true, the effects could be widespread and injurious,” said U.S. Rep. Bill Huizenga, R-Mich., chair of the House Subcommittee on Oversight and Investigations, in his letter to the CFPB requesting more information on the data breach.
U.S. Rep. Patrick McHenry, R-N.C., chair of the House Financial Services Committee, said: “This breach raises concerns with how the CFPB safeguards consumers’ personally identifiable information. Republicans will ensure any bad actors are held accountable.”
Could this incident have been avoided?
Insider threats within financial services are nothing new. IBM research found that 60% of all cyber attacks are carried out by insiders, and that the financial services sector is one of the top three industries plagued by the problem.
Given that insider threats are so prevalent, you would think—at least hope—that institutions such as the CFPB would have the right protections in place to protect against such risks.
And herein lies the issue. It would appear that CFPB had no alert system in place to notify the security team to, firstly, an employee downloading vast amounts of sensitive information and, secondly, sharing that information with an unauthorized email address.
In fact, this problem could’ve been entirely avoided had the body invested in data loss prevention (DLP), a tool that automatically discovers, classifies and protects sensitive information from unlawful or risky exposure.
Assuming the employee attempted to download the spreadsheets from a cloud-based service like Teams or Google Drive, our tool–Polymer DLP—would have sprung into action, autonomously noticing the suspicious action and blocking the user in real-time.
From there, it would’ve sent an alert to the security team for further investigation, while also sharing a prompt with the employee in question, explaining why the action was blocked, so they’re put off from trying again.
Curious to learn more about Polymer DLP for FS? Request a free demo today.