Federal officials are warning for a second time this month of potential security weaknesses with a massive consumer data-mining program run by the Consumer Financial Protection Bureau.
Inspector General Mark Bialek warned CFPB Director Richard Cordray that the IG office had “identified information security as a major management challenge for the CFPB due to the advanced, persistent threat to government information technology infrastructure.”
In a report made public Oct. 30, 2014, Bialek told Cordray that “improvements are needed in four high-priority security risk areas: continuous monitoring, configuration management, security training, and incident response and reporting.”
The bureau has been acquiring unprecedented amounts of consumer credit card and mortgage data since its creation by Congress and President Obama in 2010.
As the Washington Examiner first reported in January, the goal is to amass key data for 95 percent of all first mortgages on 53 million residential properties in the United States. The bureau also is compiling information on 933 million credit cards used by American consumers.
Consumers are particularly aware of the dangers of data breaches after the recent hacking attacks at Target and Home Depot. Credit card companies spent a record $60 million for the Home Depot data breach in September, twice the losses suffered by Target.
The IG's database security warnings were contained in a larger critique of CFPB management troubles.
Bialek is not the first watchdog to raise concerns about the risk of hackers compromising the sensitive consumer financial information in the CFPB databases.
The same concerns were raised by the Government Accountability Office, Congress' investigative arm, last month.
The GAO said “additional efforts are needed in several areas to reduce the risk of improper collection, use, or release of consumer financial data” contained in the CFPB databases.
“CFPB has not yet fully implemented a number of privacy control steps and information security practices, which could hamper the agency's ability to identify and monitor privacy risks and protect consumer financial data,” GAO said.
The security problems highlighted by the IG weren't limited to the financial databases, either, as Bialek also warned that “CFPB management faces challenges in implementing a continuous monitoring process for all CFPB systems.”
The IG was alarmed that CFPB did not have the capability to quickly identify cybersecurity breaches, stating, “It is difficult for the CFPB to correlate information on incident activity because it does not yet have the capability to analyze security incident information from all relevant sources.”
CFPB has retained a large number of outside contractors to collect and sort its burgeoning data. Many are collecting and aggregating the data in a category called “Special Services/Economic Analytics.”
The IG warned CFPB that its contractors could serve as a target for cybersecurity attacks. “The agency faces challenges in ensuring that contractors implement the required information security controls,” Bialek warned.
Companies helping CFPB on its data-mining efforts include: Argus Information and Advisory Services, FORS Marsh Group, PricewaterhouseCoopers, McKinsey & Co., Armedia LLC, CLC Compliance Technologies, the Brattle Group and National Opinion Research.
Since March 2012, CFPB has paid more than $57 million to the contractors, according to USASpending, a federal spending data base.
Since July 2011, CFPB also has encountered trouble attempting to move its IT system away from the U.S. Treasury Department’s IT system where it currently operates.
“The CFPB has encountered scheduling delays in transitioning IT from Treasury and in establishing certain components of its own IT infrastructure,” reported Bialek.
The transition will require “significant resources and a concerted effort over several years,” the IG reported.
The bureau and its big-data collection methodology was the pet project of Sen. Elizabeth Warren, D-Mass., now considered a dark horse Democratic presidential candidate.
Warren and the bureau said their data-collection efforts were for legitimate “market research.” Warren pioneered consumer-oriented data collection as a professor at Harvard University.