BETHESDA – Today the U.S. Consumer Product Safety Commission (CPSC) Office of Inspector General (OIG) issued a report examining the CPSC’s unauthorized release of sensitive information regarding thousands of people and businesses. The OIG ascertained, among other findings, that the scope of the data breach was greater than previously reported and that the data breach was the result of incompetence and mismanagement rather than outside hackers gaining access to the CPSC’s information technology systems.
The OIG agreed to investigate the CPSC’s Clearinghouse data breach after receiving numerous requests from Congress and CPSC Commissioners. The OIG initiated an administrative investigation to assess the scope, root causes, and the CPSC’s response to the data breach as well as several specific allegations of misconduct, including whether the data breach was deliberate.
The OIG quickly confirmed that the data breach was not the result of outside hackers gaining access to the CPSC’s information technology systems. In fact, CPSC employees caused the data breach by inappropriately releasing confidential information. However, early on, the OIG determined that the scope of the breach greatly exceeded the agency’s estimate. The OIG found:
- The inappropriate release of information began earlier and was of greater volume than believed by the agency.
- The root causes of the data breach were mismanagement and incompetence.
- The CPSC attempted to respond quickly to the breach. However, the CPSC’s response to the breach was hindered by its lack of preparation for dealing with data breaches and the errors made in assessing the scope of the breach.
- No evidence that the data breach was deliberate.
The OIG had previously brought many of the issues that led to the data breach to management’s attention; these problems were neither new nor unknown to the agency. Specifically, the OIG notified the agency about the lack of Internal Controls in the Clearinghouse, the lack of adequate encryption of PII, and the failure to restrict access to non-public data to those with a need for this access. The OIG is an independent office within the CPSC that performs audits and investigations of the CPSC, and prevents and detects fraud, waste and abuse.