A BREACH OF TRUST
Obama created a bureau that collected secret data from millions of Americans. Now it’s been hacked
WITHOUT your knowledge or permission, the Obama administration collected and warehoused your most private bank records and continued to sweep them up — despite repeated warnings the data wasn’t being properly protected. Now there’s a good chance your personal information could be in the hands of identity thieves or even terrorists.
The government isn’t sure who has your information. It only knows the Obama-era databases have been breached by outsider threats potentially 1,000plus times. That’s according to a recent investigation of cyber-intrusions at the Consumer Financial Protection Bureau, where the sensitive information is stored.
The number of confirmed breaches of consumers’ personally identifiable information is “just north of 200,” revealed Mick Mulvaney, the White House budget chief who took control of the CFPB late last year, in testimony to Congress. “We think there’s another 800 [incidents of hacked information] that we suspect might have been lost, but we haven’t been able to nail that down.”
In fact, the bureau has suffered 233 confirmed hack attacks and another 840 suspected hacks, putting at risk the financial information and other personal data — including Social Security numbers and birthdates — of potentially millions of Americans.
Most people don’t know this, but after President Barack Obama created the CFPB, he had the powerful regulatory agency snoop into virtually every financial account held by Americans to assemble a massive and secret government database as part of the post-financial crisis overhaul of the banking industry.
Without asking if customers wanted to opt in, CFPB has collected and stockpiled from banks more than 600 million credit-card accounts and personal data from millions of home, auto, business and student loans.
For the first time, the government vacuumed up extremely sensitive personal finance information that even the IRS doesn’t collect — including credit scores, performance data on loans, telephone numbers, employment records, even your race and ethnicity, in addition to your date of birth, Social Security number and address. At last count, the CFPB had 12 consumer data-mining programs running.
The main purpose of the databases was to find “statistical patterns” of unfair or racially discriminatory lend- ing to help make cases of bias against private lenders and credit agencies.
CFPB maintained in regulatory notices buried in the Federal Register that all this personal information would be safely stored in “locked file rooms, locked file cabinets” inside a building with “security cameras” and 24-hour security guards and that the computerized records would be “safeguarded through use of access codes.”
But it turns out the agency also shared the codes and files with outside agencies and contractors, including state attorneys general, trial lawyers and civil-rights organizations interested in filing class-action lawsuits against banks, according to regulatory documents and congressional testimony.
In 2015, the bureau’s inspector general warned that sharing the massive databases with outside contractors and storing sensitive private information on unsecured data clouds made the data vulnerable to hacking, identity theft and fraud.
Among other things, inspector general Mark Bialek found that CFPB failed to ensure that the data it was collecting on credit-card accounts and loans followed new cyber-security safeguards in the wake of the massive hacking of the US Office of Personnel Management by the Chinese, which compromised the personal information — including fingerprints — of current and former federal employees. He also found that the bureau was using an “outdated encryption mechanism to secure remote access to its information technology infrastructure.”
“CFPB has not yet fully implemented a number of privacy-control steps and information-security practices,” warned Bialek in a 10-page memo to then-CFPB Director Richard Cordray.
Also, the agency failed to perform background checks on outside contractors with “privileged access” to the computer system and databases, nor had it adequately trained employees to avoid falling for e-mail “phishing” scams that hackers use to break into government computer systems, Bialek said.
But the warnings largely fell on deaf ears. The full extent of the security breaches were only uncovered and disclosed after the Trump administration recently took over the agency, which Obama made sure would be shielded from congressional oversight and audit. The new director testified that “everything” the agency keeps on file is subject to being obtained by malicious third parties.
“I am very much concerned about the privacy of that data, about the use of that data,” Mulvaney testified earlier this month before the Senate Banking Committee. “I am not satisfied with the data security right now in the bureau.”
He says he has put a “data collection freeze” into effect to stop the automatic electronic transfer of bank records to the government until “we fix our systems.” Meanwhile, he is working with the Defense Department to “test our vulnerabilities.”
Even now, it’s unclear who has your data. But one thing is for sure: These breaches demand an independent audit and criminal investigation to fully assess the damage to consumer privacy. Until then, CFPB clearly cannot be trusted to gather and handle any more data that’s personally identifiable.