CFPB Report: 2025-SR-C-005 May 5, 2025
In 2023, the CFPB declared a major breach that affected about 256,000 consumers and 46 institutions after an employee sent confidential supervisory information to a personal email account.
We found that the CFPB’s guidance does not sufficiently limit access to confidential supervisory information. Its guidance also lacks expectations for assessing the severity of confidential supervisory information breaches and enforcing consequences for responsible employees. Finally, the CFPB does not have a defined process to notify affected supervised institutions of breaches.
We are making seven recommendations to address these issues and improve the agency’s protection of confidential supervisory information.