CFPB Resignations, Contract Cuts Put Data at Risk, Watchdog Says

The Consumer Financial Protection Bureau’s ability to protect sensitive consumer and other data has degraded amid a wave of staff departures and contract cancellations, a watchdog report found.

The CFPB’s overall cybersecurity dropped from “managed and measurable” in fiscal 2024 to not consistently implemented in fiscal 2025, under a scale set by the Federal Information Security Modernization Act, according to a Monday report.

The report, from the inspector general for the Federal Reserve and the CFPB, called the agency’s overall information security program “not effective.” The CFPB is an independent unit of the Fed and the two agencies share an inspector general.

Much of the faltering was due to staff attrition and termination of contracts for security reviews, the report said.

“As such, the CFPB is unable to maintain an effective level of awareness of security vulnerabilities in its environment,” the report said.

Immaterial Details?

The CFPB improved some agency cybersecurity protocols, such as formalizing ransomware responses and improving background checks on new employees, the report found.

But overall, the state of CFPB cybersecurity protections had seen a significant drop in the months since acting Director Russell Vought took control of the agency in February, the report said.

In response, CFPB management said it would enact several of the report’s recommendations but said that many of the concerns in the report were immaterial.

“The OIG’s report provides the misleading impression that the Bureau has a lax information security posture,” Christopher Chilbert, the CFPB’s chief information officer, said in an Oct. 30 letter to the inspector general that was made public alongside the report.

The CFPB will “continue to focus its effort and resources on that have a real-world impact on the security of its systems,” Chilbert said.

The agency didn’t immediately respond to a request for further comment.

Contract Cuts

Among Vought’s first moves upon taking control of the CFPB was canceling around $100 million worth of contracts, including key cybersecurity contracts meant to prevent viruses from traveling between its consumer complaint database and companies that were subject to complaints.

Those cuts were made in conjunction with Elon Musk’s Department of Government Efficiency.

Many contracts were reinstated soon after, while other cuts were put on hold by a federal judge.

In recent months, the CFPB has either not renewed or put other contracts up for rebidding as the agency looks to cut costs. The Republican budget bill signed into law by President Donald Trump cut the amount of money the CFPB can request from the Fed by around half.

Vought attempted to fire around 90% of the agency’s staff upon taking over the CFPB, but that also was put on hold by courts. The US Court of Appeals for the DC Circuit is considering a request from the CFPB’s union for the full court to rehear a panel opinion that allowed the firings to move forward.

But even without the firings, the CFPB has seen a wave of resignations.

Among those were the CFPB’s chief risk officer and other individuals in the enterprise risk management office in March, according to the report. Those positions were never filled, the report said.

The CFPB collects vast amounts of data, including sensitive consumer information such as Social Security numbers, making enhanced cybersecurity vital, the inspector general said.