After security testing, CFPB to resume collecting consumer data

Acting agency director Mick Mulvaney said the bureau is safe to resume collection after an "exhaustive" security review.
Mick Mulvaney
(Flickr / <a href="">Gage Skidmore</a>)

After an “exhaustive” review of the agency’s security practices, the Consumer Financial Protection Bureau will resume collecting consumers’ personal data, acting agency director Mick Mulvaney told employees Thursday.

An independent security assessment “concluded that ‘externally facing bureau systems appear to be well-secured,’” Mulvaney said.

CFPB has a mandate to collect consumer data on things like credit cards and mortgages. The agency’s cybersecurity practices drew the scrutiny of lawmakers in April, when Mulvaney told the Senate Committee on Banking, Housing, and Urban Affairs that the agency had suffered roughly 240 data security breaches and 800 suspected breaches. An CFPB spokesperson told CyberScoop the breaches of personally identifiable information happened before Mulvaney took the agency’s helm in November 2017.

“When I first arrived at the bureau, I was concerned that the information the bureau collects about consumers could fall prey to hackers or other actors,” Mulvaney said in an email to agency staff obtained by CyberScoop.


Mulvaney put a hold on the sensitive data collection shortly thereafter. A subsequent assessment by outside experts included “white-hat hacking” and made recommendations to boost security, Mulvaney said. Some CFPB employees opened phishing emails sent by the security testers, according to Mulvaney. “Therefore, we will step up our employee and contractor training on how to detect and deal with suspicious emails.”

A CFPB spokesperson told CyberScoop that for security reasons, the bureau is not publicly disclosing the specific details and findings of the third-party security review.

Sen. David Perdue, R-Ga., a member of the Senate Committee on Banking, Housing, and Urban Affairs, has requested a confidential briefing from Mulvaney on the data breaches. That briefing has yet to take place, according to Perdue’s office.

You can read the full email below.

[documentcloud url=”” responsive=true]

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts