Uh Oh… CFPB Suffered More Than 1,000 Data Breaches
The Consumer Financial Protection Bureau (CFPB) suffered at least 240 data breaches and another 800 suspected hacks, according to Mick Mulvaney, the acting director of the bureau in congressional testimony.
Mulvaney is the first CFPB official to admit the agency’s massive data mining of consumer mortgage and credit card information is vulnerable to hackers and that data bases have been breached. Former bureau director Richard Cordray and other CFPB officials previously refused to disclose any information about possible data breaches.
Cordray and Sen. Elizabeth Warren of Massachusetts both embraced the idea of launching a mammoth data mining collection program at CFPB that focused on America’s consumers. They admitted to Congress in 2014 they were in the process of collecting 991 million American credit card accounts and accumulate 95 percent of the 53 million residential mortgages taken out since 1998.
Warren helped to shape a new economic theory called “behavioral economics” while at Harvard that led to the use of big data by government for research purposes. Her practice relied on massive uses of consumer data and she encouraged its application at the CFPB.
“We’re collecting aggregated information,” Cordray told incredulous congressmen at a January 2014 House Financial Committee hearing after the size of the data mining had been revealed. The committee has oversight for CFPB.
“Can you, Mr. Cordray, personally guarantee that the consumer information is 100 percent secure?” asked Rep. Randy Neugebauer, a Republican from Texas at the hearing.
Cordray said he could not, but added the CFPB “attempt[s] to safeguard any information we have about the American public.”
Later in the hearing, Neugebauer asked if CFPB and NSA “are in a contest of who can collect the most information?”
In a hearing on Wednesday before the Senate Banking, Housing and Urban Affairs Committee, Sen. David Perdue asked Mulvaney about how CFPB protects the consumer data and if there have been hacks.
“So, the question then is: how is that stored,” Senator Perdue asked. “Where is it stored? Are there third parties involved? Have you been hacked? Can you provide a report to this committee with regard to that data? Have there been any breaches to your knowledge before you got there and since you’ve been director?”
Mulvaney, who has been on the job for less than six months answered, “we have been able to document about 240 lapses in our data security.” Perdue expressed surprise at Mulvaeny’s revelation.
Their question and answer session continued:
Senator Perdue: “‘Lapses?’ Is that a breach?”
Director Mulvaney: “I think data got out that should not have gotten out. There’s another 800 suspected that we haven’t been able to confirm.”
Senator Perdue: “800 potential exfiltrations so far? And this could be not just social security numbers, but this could be my personal bank account. Is this correct?”
Director Mulvaney: “It could be a lot of different things, yes. Including those.”
Later, the acting director told the committee, “Everything we keep is subject to being lost, yes.”
Mulvaney also expressed reluctance to disclose the size and nature of the breaches in public. “I don’t want to say anything, but I’m more than happy to talk to all of you about what I’ve talked with the Inspector General about. I think it actually does more harm than good to mention it in a public setting.”
Federal Reserve Inspector General Mark Bialek warned Cordray in October 2014 that his office had “identified information security as a major management challenge for the CFPB due to the advanced, persistent threat to government information technology infrastructure.”
In a report made public Oct. 30, 2014, Bialek told Cordray that “improvements are needed in four high-priority security risk areas: continuous monitoring, configuration management, security training, and incident response and reporting.”
A month earlier, the Government Accountability Office came to similar conclusions about the CFPB’s poor management of its big databases.
The GAO said “additional efforts are needed in several areas to reduce the risk of improper collection, use, or release of consumer financial data” contained in the CFPB databases.
“CFPB has not yet fully implemented a number of privacy control steps and information security practices, which could hamper the agency’s ability to identify and monitor privacy risks and protect consumer financial data,” GAO said.
Many economists have ridiculed Warren’s behavioral economic theories and argued it was part of a paternalistic view of consumers who had to be protected by government.
Todd Zywicki, a professor of law at George Mason University’s School of Law who closely follows behavioral economics, called it a pseudo-science that provides a “veneer” of respectability to justify CFPB’s regulations in an interview with the Washington Examiner.
“What behavioral economics is, is really a new system of trying to dress up sort of old style, ‘government knows best’ paternalism in the garb of economics,” Zywicki said. “And it’s a way to make it look like it’s more like economic science rather than just Big Brother paternalistic government. It gives them that veneer of evidence-based decision making.”
Perdue said he wanted full a follow-up on the safety of the CFPB consumer data and possible hacks. “I would like to propose a follow-up meeting about this because I am absolutely concerned about the exposure of our data in this rogue agency that has no responsibility to this Congress. I’m very concerned about the security of our financial information that nobody in my state really understands the CFPB is collecting.”
Mulvaney is the acting director of the bureau, appointed by President Trump last November when Cordray suddenly resigned to run for the Democratic nomination for Ohio governor. His appointment is being legally challenged in the courts by Leandra English who Cordray appointed.