To start with, I suppose a small timeline is important. In 2021 the CFPB announced they would be increasing their focus on financial institutions’ data security practices in a circular. They asserted that they did have authority for this and referenced Gramm-Leach-Bliley Act (GLBA) as part of their newly asserted authority. Normally GLBA Safeguards Rule violations are handled by the Federal Trade Commission, but CFPB felt like they should also have a hand in this under their unfair, deceptive, or abusive acts or practices (UDAAP) rules and guidelines.
CFPB has maintained supervisory data on financial institutions (which may also contain sensitive security information) and transaction specific account and tracking numbers that relate to consumers and businesses. Much of this data is specific to the CFPB and not direct bank or other financial data. It is unknown if there is a way to use this information to find out consumer specific financial data but so far, we have been told there is not.
The CFPB database of consumer and financial institutions is quite large as you might imagine. They, as a US Government Agency, have quite the responsibility to both consumers and the financial institutions they cover. Considering that most states also have their own consumer privacy laws and financial laws there has been more than a bit of talk about the increase in regulatory burden how the CFPB could be used abused by a particular administration. The recent “5 Pillars” National Security Strategy statement put out by the Biden-Harris administration shows a move toward consolidating power in Federal Agencies like the CFPB.
Many have argued that the CFPB and their structure is unconstitutional and in July of 2020 the US Supreme Court partially agreed when they moved control of the CFPB under the direction of the sitting US President. It was, to me, an unusual move considering that the CFPB leadership would now be politically partisan since the President and hire and fire them. Still the Ruling in July of 2020 did not affect the existing powers and authority that the CFPB has.
What does all of that have to do with the CFPB data breach? Well, I am glad you asked. One thing that increased regulatory, supervisory, and/or reporting control does in create a new target for attackers. Why should an attack group waste time trying to hit individual companies when they can grab the data from one big repository? Regulatory bodies like CFPB, NYDFS, and many more have information on the state of security of many financial institutions. Because of their supervisory roles (and requirements to report on the state of your controls) they are a great target for threat actors. This includes the potential for insider threats, either malicious or unintended. If groups like CFPB do not have security and data protection controls that exceed those they require of their “cover entities” they are a data breach/leak waiting to happen.
In the case of CFPB an employee was copying their personal email account when sending controlled data. This was not detected by internal controls or tools but was reported by another employee. The event started on February 14th, but CFPB did not notify their oversight committee until March 21st. News articles about the incident began around April 14th and as of this writing (May 1st, 2023) CFPB has not notified any of the 256,000 consumers affected. CFPB maintains that they have not done anything wrong in their handling of this. However, in their own words:
An unfair act or practice is one that:
1. Causes or is likely to cause substantial injury to consumers.
2. Is not reasonably avoidable by consumers.
3. Is not outweighed by countervailing benefits to consumers or competition.
1. the leak of 256,000 consumer records that include private information, and 45 financial institutions is likely to cause harm.
2. Neither the 256,000 consumers nor the 45 Financial Institutions had any control over the lax security practices that allowed an employee to copy their personal email addresses when sending sensitive data
3. CFPB has no competition and has asserted its authority under US law. They have a higher responsibility to the consumer and the institutions they cover.
It seems that according to their own assertions they have violated their own policies.
Now, I am not advocating for no regulation. Not having regulation would be a nightmare for consumers. What I am saying is that I am getting a bit exhausted by regulatory bodies that are not even meeting their own regulations and have little, if any, understanding of the things they are regulating or their overall financial and logistical impacts. An increase in regulation or control does not mean an increase in security. It just means that now all the data is in a single, probably very insecure, bucket. Considering that a properly implemented Data Loss Prevention system would have detected and stopped this event before it happened, it is pretty clear that CFPB is not holding itself to the same standards they are trying to push on everyone else.