Mulvaney: CFPB hit by over 200 data ‘lapses’

Mick Mulvaney revealed Thursday that the agency had suffered some 240 “lapses” in data security over an unspecified time period, in addition to a suspected 800 other such incidents.
Mick Mulvaney
(Flickr / <a href="">Gage Skidmore</a>)

The head of the Consumer Financial Protection Bureau said Thursday that the agency had suffered some 240 “lapses” in data security over an unspecified time period, in addition to a suspected 800 other such incidents.

“We have been able to document about 200-odd – I think 240 – lapses in our data security,” acting CFPB Director Mick Mulvaney told the Senate Committee on Banking, Housing, and Urban Affairs during a hearing on the bureau’s semi-annual report to Congress.

“Lapses – is that a breach?” Sen. David Perdue, R-Ga., asked Mulvaney during a tense exchange.

“I think data got out that should not have gotten out,” Mulvaney replied, adding, “there’s another 800 [incidents] that we suspect that we haven’t been able to confirm.”


As part of its mandate to protect consumers, the CFPB has the right to collect data on credit card transactions, mortgages, and car loans, Mulvaney said.

“Everything that we keep is subject to being lost,” added Mulvaney, who is also the director of the White House Office of Management and Budget.

He consulted with an aide during the hearing to confirm that some of his agency’s data is stored by third parties.

Perdue requested a classified briefing on the subject and Mulvaney said he would be willing to provide one.

Since the seminal 2015 breach of the Office of Personnel Management, in which the personal information of some 22 million Americans was compromised, U.S. lawmakers and agencies have woken up to the threat of large-scale espionage via data theft.


In September, credit reporting company Equifax disclosed that hackers had breached the personal information, including Social Security numbers, of more than 140 million consumers in the United States.

UPDATE: A CFPB spokesperson provided the following statement to CyberScoop:

“Prior to Acting Director Mulvaney’s appointment (in November 2017), there were 233 confirmed breaches of consumer personally identifiable information (PII) within the Bureau’s Consumer Response system by the Bureau or its contractor, and at least another 840 suspected PII breaches by financial institutions using the company portal.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts