Up to 800 data breach incidents at CFPB

  • 16 April 2018
  • NormanL
Up to 800 data breach incidents at CFPB

The media and Congress had great fun grilling Facebook founder Mark Zuckerberg about how his social media company handles its users' private information. But while that circus was underway, a less well-covered, but far more critical, hearing was underway. The subject: sensitive data has been stolen from millions of Americans.  Where was it stolen from? The United States government.

Specifically, the Consumer Financial Protection Board, which was a favorite target for hackers looking for rich veins of lightly protected information:

On Wednesday, Mick Mulvaney told Congress that the Consumer Financial Protection Bureau was hacked 240 times — that he knows of — and possibly another 800 times.

As a result, he said, "data got out that should not have got out."

Why does this matter?

Democrats created the CFPB as part of the Dodd-Frank financial reform bill. The goal was to create a powerful agency devoted to, as the name implies, protecting consumers from abuse at the hands of banks, credit card companies, and lenders.

But once in operation, the CFPB started collecting and stockpiling data from more than 600 million credit card accounts, along with personal data from almost all mortgage loans taken out since 1998, as well as car payments and other financial data. All without anyone's knowledge or consent.

That means the CFPB has a storehouse of highly personal data — Social Security numbers, bank accounts, mortgage information, credit card data — on just about every American. It's a data set Facebook could only dream of getting its hands on.

Worse, while the CFPB was sucking up all this data, it failed to install proper cybersecurity protection, a fact that independent auditors repeatedly pointed out to its leaders.

In 2014, the Government Accountability Office warned that "additional efforts are needed in several areas to reduce the risk of improper collection, use, or release of consumer financial data."

A year later, an inspector general audit found that the CFPB had still "not yet fully implemented a number of privacy control steps and information security practices."

Even as recently as last fall, the IG said that the agency still "has further opportunities to ensure that its information security program is effective."

It's easy to shake a political fist at someone like Mark Zuckerberg. But he runs a private company which can be held accountable, by law and the marketplace, for poor or shady business practices.

The federal government, however, has no competitors. When it gathers your data -- via the force of law -- and then does little to protect it from bad actors, there is a collective shrug of the shoulders. The proper response ought to be outrage, and a demand not just for accountability, but for bureaucratic heads to roll.