After an “exhaustive” review of the agency’s security practices, the Consumer Financial Protection Bureau will resume collecting consumers’ personal data, acting agency director Mick Mulvaney told employees Thursday.
An independent security assessment “concluded that ‘externally facing bureau systems appear to be well-secured,’” Mulvaney said.
CFPB has a mandate to collect consumer data on things like credit cards and mortgages. The agency’s cybersecurity practices drew the scrutiny of lawmakers in April, when Mulvaney told the Senate Committee on Banking, Housing, and Urban Affairs that the agency had suffered roughly 240 data security breaches and 800 suspected breaches. An CFPB spokesperson told CyberScoop the breaches of personally identifiable information happened before Mulvaney took the agency’s helm in November 2017.
“When I first arrived at the bureau, I was concerned that the information the bureau collects about consumers could fall prey to hackers or other actors,” Mulvaney said in an email to agency staff obtained by CyberScoop.
Mulvaney put a hold on the sensitive data collection shortly thereafter. A subsequent assessment by outside experts included “white-hat hacking” and made recommendations to boost security, Mulvaney said. Some CFPB employees opened phishing emails sent by the security testers, according to Mulvaney. “Therefore, we will step up our employee and contractor training on how to detect and deal with suspicious emails.”
A CFPB spokesperson told CyberScoop that for security reasons, the bureau is not publicly disclosing the specific details and findings of the third-party security review.
Sen. David Perdue, R-Ga., a member of the Senate Committee on Banking, Housing, and Urban Affairs, has requested a confidential briefing from Mulvaney on the data breaches. That briefing has yet to take place, according to Perdue’s office.
You can read the full email below.