Stand up for the facts!

Our only agenda is to publish the truth so you can be an informed participant in democracy.
We need your help.

More Info

I would like to contribute

In this Sept. 12, 2013 file photo, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray testifies on Capitol Hill in Washington. (AP) In this Sept. 12, 2013 file photo, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray testifies on Capitol Hill in Washington. (AP)

In this Sept. 12, 2013 file photo, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray testifies on Capitol Hill in Washington. (AP)

Amy Sherman
By Amy Sherman August 14, 2018

In Ohio TV ad, Republican group misleads in attack on Richard Cordray's tenure at consumer bureau

A Republican group says that when Richard Cordray worked for the federal government, he collected Americans’ financial data in secret and then the data was hacked.

"Cordray was supposed to protect Americans from financial crime," says a TV ad by the Republican Governors Association in Ohio. "Instead, Cordray secretly collected hundreds of millions of credit card accounts and mortgages. Worse, Cordray failed to protect our information. It was hacked over 200 times. Your data compromised."

The ad makes it sound like Cordray collected information on his own initiative, but it’s actually referring to Cordray’s role in the federal government as the first director of the Consumer Financial Protection Bureau, formed under President Barack Obama over the objections of Republicans.

It’s misleading to state that Cordray collected data in secret because the law allowed data collection. It’s also misleading to suggest that there was a hack, which implies an outsider broke into the data. However, there was a security breach. We’ll explain the full context.

Cordray left his job at the consumer bureau in 2017, and Mick Mulvaney, a critic of the bureau, took over.

Sign up for PolitiFact texts

Cordray is now running for Ohio governor against Republican Attorney General Mike DeWine.

Did the bureau 'secretly' collect data?

The 2010 Dodd-Frank Act created the bureau and gave it authority to gather and compile information from a variety of sources, such as consumer complaints, voluntary surveys, surveys and  interviews with consumers and financial service providers, and reviews of available databases. The law also contained privacy provisions.

We found examples dating back to 2010 of supporters and opponents commenting on the data collection. In an article in Bank Technology News, Sen. Elizabeth Warren, D-Mass., praised the idea of essential "real-time data collection" so that the bureau could be an "effective cop." An editorial in the Orange County Register quoted an expert who raised concerns about the bureau’s plans to collect data on consumers transactions.

A federal Government Accountability Report in 2014 discussed in detail how the bureau collected data from financial institutions and financial aggregators.

Jeff Sovern, who teaches consumer protection law at St. John’s University, said it would be hard to collect information about the functioning of consumer financial markets without seeing information about credit cards and mortgages.

"The bureau was established in part to keep the mortgage lending that led to the Great Recession from happening again, after all," he said.

The ad contained no citations for its point, although association spokesman Jon Thompson sent us news articles pertaining to both. Thompson pointed to Cordray’s testimony Jan. 28, 2014, before a House committee.

U.S. Rep. Sean Duffy, R-Wis., asked Cordray: "Would you object to getting permission from consumers, those people who you work for, before you collect and monitor their information?"

Cordray said if the bureau had to get individuals’ permission before it sought aggregate data about the credit card market, that  "would have the purpose of completely making it impossible for the agency to have any kind of data to know what's going on in these markets."

Todd J. Zywicki, a George Mason University law professor and critic of the bureau under Cordray, said that most Americans don’t know that their private information is transmitted from banks to the government.

"In that sense, ‘secret’ seems like an accurate term to me," he said.

(News reports said that the Trump administration considered Zywicki to take over the bureau.)

'Hack' at consumer protection bureau

As for the claim that the information was hacked, the RGA pointed to Mulvaney’s response to a question during an April 12, 2018, Senate committee if the data had been hacked.

Mulvaney replied: "I want to be careful about what I say and I'll be happy to talk about this more in private, but we have been able to document about 240 lapses in our data security."

Featured Fact-check

Mulvaney said an additional 800 lapses were suspected but hadn’t been confirmed.

Mulvaney provided similar information in January in a letter to Warren stating that before his tenure there were 233 confirmed breaches of personally identifiable information within the bureau’s consumer response system by the bureau or contractors. To put that number in context, the consumer bureau has handled more than one million complaints.

(A spokesman for the bureau provided PolitiFact with the letter sent to Warren but declined to answer questions.)

Mulvaney told senators he instituted a data collection freeze and had hired an outside party to test the integrity of the system.

On May 31, Mulvaney told his staff in an email that "after an exhaustive review by outside experts, including a comprehensive ‘white-hat hacking’ effort, we can lift that hold. The independent review concluded that ‘externally facing bureau systems appear to be well-secured.’"

Zywicki said that the use of the term "hack" in the ad is not correct.

"There have been hundreds of compromises of consumer information, but mainly they have been by inadvertently disclosing personally identifiable information by the contractors who collect the information that gets dumped into the consumer complaint database," he said.

Our ruling

A Republican Governors Association ad said that Richard Cordray "secretly collected hundreds of millions of credit card accounts and mortgages. Worse, Cordray failed to protect our information. It was hacked over 200 times."

It’s misleading to state that the data was collected in secret when the law that established that the bureau could collect data to protect consumers. If some consumers didn’t realize the data would be collected, that doesn’t mean it was a secret.

The use of the word "hack" is the wrong term -- it implies some nefarious person hacked into the data, and that’s not the case. There were breaches of personal information by the bureau or contractors.

We rate this claim Mostly False.

Our Sources

Republican Governors Association, Ad, July 18, 2018

Congress.gov, H.R.4173 - Dodd-Frank Wall Street Reform and Consumer Protection Act, Became law July 21, 2010

Boston Globe, "Consumer bureau chief defends big-data program," April 4, 2013

Orange County Register, "The next 2,000-page bill," May 11, 2010

US News, "How the New Consumer Bureau Will Help You," Sept. 15, 2010

Bank Technology News, "Warren's CFPB Embraces Big Data," December 2010

The Washington Examiner, "Federal consumer bureau data-mining hundreds of millions of consumer credit card accounts, mortgages," Jan. 29, 2014

Investor’s Business Daily, "Forget Facebook, Here’s the Real Privacy Scandal," April 13, 2018

Government Accountability Office, "Consumer Financial Protection Bureau: Some Privacy and Security Procedures for Data Collections Should Continue Being Enhanced," Sept. 22, 2014

Inspector General, Report on the Independent Audit of the Consumer Financial Protection Bureau’s Privacy Program, Feb. 14, 2018

CyberScoop, "Mulvaney: CFPB hit by over 200 data 'lapses,'" June 12, 2018

CyberScoop, "After security testing, CFPB to resume collecting consumer data," June 1, 2018

Mick Mulvaney, Acting Director of the Consumer Financial Protection Bureau, Letter to U.S. Sen. Elizabeth Warren, Jan. 18 2018

Consumer Financial Protection Bureau, Accessed Aug. 13, 2018

United States Senate Banking, Housing, and Urban Affairs Committee, transcript of Mick Mulvaney hearing, April 12, 2018

House Financial Services Committee hearing on the Consumer Financial Protection Bureau's semi-annual report to Congress, April 11, 2018

American Banker, "CFPB's Mulvaney to Warren: Breaches justified data-collection halt," Jan. 19, 2018

American Banker, "Mulvaney response to CFPB data security gaps baffles cyber experts," April 23, 2018

PolitiFact, "Carly Fiorina says Consumer Financial Protection Bureau has 'no congressional oversight,'" Nov. 14, 2015

Interview, Jon Thompson, Republican Governors Association spokesman, July 26, 2018

Interview, Mike Gwin, Richard Cordray spokesman, July 27, 2018

Interview, Sam Gilford, Consumer Financial Protection Bureau spokesman, July 30, 2018

Interview, Jeff Sovern, St. John’s University law professor, July 30, 2018

Interview, Todd J. Zywicki, George Mason University law professor, Aug. 10, 2018  

Browse the Truth-O-Meter

More by Amy Sherman

In Ohio TV ad, Republican group misleads in attack on Richard Cordray's tenure at consumer bureau

Support independent fact-checking.
Become a member!

In a world of wild talk and fake news, help us stand up for the facts.

Sign me up