CFPB Hacked Hundreds of Times, Risking Sensitive U.S. Financial Data

Disclosure: 240 confirmed hacks, 800 suspected, risking mortgage info, Social Security numbers, personal banking info

Mick Mulvaney
Mick Mulvaney / Getty Images
April 12, 2018

The Consumer Financial Protection Bureau, or CFPB, confirmed on Wednesday that it had been struck by at least 240 hack attacks and another 800 suspected hacks, jeopardizing mortgage information, Social Security numbers, and personal banking information of scores of Americans, according to congressional testimony. 

Acting CFPB Director Mick Mulvaney disclosed these figures under questioning by Sen. David Perdue (R., Ga.) during a hearing on the agency's collection of American citizens' data and the risk this poses due to an increasing cyber threat.

The agency has faced questions over its large-scale collection of Americans' credit card transactions, home loan applications, and other major financial information.

The issue has topped the congressional agenda in the wake of concerns that rogue nation-states and other actors have hacked the U.S. database, risking the mass collection of sensitive financial information.

Mulvaney disclosed that the agency has been able "to document about 240 lapses in our data security."

"I want to be careful about what I say, and I would be happy to talk about this more in private, but we have been able to document about 240 lapses in our data security," Mulvaney said.

When pressed on the issue, Mulvaney further revealed the agency is investigating another 800 suspected attacks.

"I think data got out that should not have gotten out," Mulvaney said, referring the 240 confirmed attacks. "There's another 800 that we suspect that we haven't been able to confirm."

The nature of the hacked information could include personal bank account information as well as Social Security information.

"800 potential exfiltrations so far?" Perdue asked. "And this could be not just Social Security numbers, but this could be my personal bank account. Is that correct?"

"It could be a lot of different things, yes. Including those," Mulvaney said.

The security situation could be much more dire, according to Mulvaney, who said that "everything" the agency keeps on file is subject to being obtained by a malicious third party.

"Every single factor that I have as an individual in the United States, every single financial factor can be reviewed and can be collected and can be exposed by the CFPB. Is that correct?" Perdue asked.

"Everything we keep is subject to being lost, yes," Mulvaney admitted.

Asked to disclose if that type of information has been lost, Mulvaney demurred.

"I don't want to say anything, but I'm more than happy to talk to all of you about what I've talked with the inspector general about," he said, requesting closed door conversations with lawmakers. "I think it actually does more harm than good to mention it in a public setting."

Perdue said the situation is all the more troubling because Congress does not currently have proper authority to audit and perform oversight of the CFPB.

"I am absolutely concerned about the exposure of our data in this rogue agency that has no responsibility to this Congress," Perdue said. "I'm very concerned about the security of our financial information that nobody in my state really understands the CFPB is collecting."

Another troubling issue is that the CFPB allows third parties to store some of its data.

"I was under the impression we kept most of our own, but I've just been told some of our data is kept by third parties," Mulvaney admitted.