Not every data breach needs a hacker; sometimes just a careless employee will do. The U.S. Consumer Financial Protection Bureau said a now-ex-employee sent records containing Americans’ private data to a personal email account. Over the course of 14 emails, the employee sent records including two spreadsheets containing names and transaction-specific account numbers related to roughly 256,000 consumer accounts at a single institution, the CFPB acknowledged. The Wall Street Journal first reported the incident on Wednesday.
The data the employee sent cannot be used to gain access to consumer accounts, the agency said. The agency asked the former CFPB employee to certify the deletion of each email, something the former employee so far has refused to do. “This unauthorized transfer of personal and confidential data is completely unacceptable,” said a CFPB spokesperson. Republican lawmakers such as Senate Banking Committee Ranking Member Tim Scott, who has long been critical of the CFPB, used the breach to denounce the agency.