An employee at the Consumer Financial Protection Bureau sent confidential data about hundreds of thousands of consumer accounts to their personal email, the agency told CNN on Thursday.
Approximately 14 emails included consumer personally identifiable information, or PII. The employee also sent two spreadsheets that listed names and transaction-specific account numbers related to about 256,000 consumer accounts at one institution.
“The numbers are used internally by the institution, are not the consumers’ bank account numbers, and cannot be used to gain access to a consumer’s account,” the CFPB said.
The Wall Street Journal first reported the incident on Wednesday.
In addition, the agency said it has “identified that the information includes PII regarding customers of 7 institutions and that it is still working to “identify the sensitivity of the PII and assess the risk of harm to consumers.”
The employee who sent the emails no longer works at the agency, their access to the company network has been revoked and there’s no evidence to suggest that the confidential records were sent beyond their personal email, the CFPB said.
While the employee has been asked to delete the emails and provide proof, they have not yet cooperated. The Office of Inspector General has been notified.
Federal lawmakers and government agencies including the Department of Homeland Security have also been made aware of the incident.
“This unauthorized transfer of personal and confidential data is completely unacceptable. All CFPB employees are trained in their obligations under Bureau regulations and Federal law to safeguard confidential or personal information,” the agency said in a statement to CNN.
Beyond the personally identifiable information listed in the two spreadsheets, the PII on the other institutions is “much smaller,” the CFPB said.
Examples include information on “one institution where the CFPB identified the inclusion of 2 account numbers with no names included, to another where the CFPB identified approximately 140 loan numbers, of which roughly 100 also included de-identified information related to the loan or borrower, such as income, credit score, and demographic information (with no names included).”
The CFPB was created after the 2008 financial crisis, as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
The US Supreme Court last month decided to consider a case on the constitutionality of funding for the agency, with the case to be heard in the fall and a decision likely by the summer of next year.