2023 Consumer Financial Protection Bureau data breach

The Consumer Financial Protection Bureau (CFPB) data breach occurred in March 2023 at the US Consumer Financial Protection Bureau.

Data breach
The Consumer Financial Protection Bureau (CFPB) experienced a significant security breach when a former employee transferred confidential information on approximately 256,000 consumers and forty-five financial institutions to their personal email account. The unauthorized transfer involved data from seven firms, though the majority of the consumer information came from one institution. The data was sent over fourteen emails and it contained personally identifiable information (PII) of consumers. The employee also sent two spreadsheets with names and transaction-specific account numbers for about 256,000 consumer accounts at a single institution. Neither the firms nor the employee have been publicly identified.

The CFPB first became aware of abuse on 14 February 2023. They informed U.S. lawmakers of the incident on March 21, but it was not made public until April 24th. Shortly following the data breach, Senator Cruz and Rep Donalds authored a bill seeking to eliminate the CFPB.

Aftermath
In response to the 2023 data breach, the Southwest Public Policy Institute (SPPI) established the Bureau to Protect Financial Consumers (BPFCCFPB) to advocate for better oversight and protection of consumer data. The Institute claims this initiative reflects broader concerns about data security and management practices within governmental consumer protection agencies.