A Republican group says that when Richard Cordray worked for the federal government, he collected Americans’ financial data in secret and then the data was hacked.

"Cordray was supposed to protect Americans from financial crime," says a TV ad by the Republican Governors Association in Ohio. "Instead, Cordray secretly collected hundreds of millions of credit card accounts and mortgages. Worse, Cordray failed to protect our information. It was hacked over 200 times. Your data compromised."

The ad makes it sound like Cordray collected information on his own initiative, but it’s actually referring to Cordray’s role in the federal government as the first director of the Consumer Financial Protection Bureau, formed under President Barack Obama over the objections of Republicans.

It’s misleading to state that Cordray collected data in secret because the law allowed data collection. It’s also misleading to suggest that there was a hack, which implies an outsider broke into the data. However, there was a security breach. We’ll explain the full context.

Cordray left his job at the consumer bureau in 2017, and Mick Mulvaney, a critic of the bureau, took over.

Cordray is now running for Ohio governor against Republican Attorney General Mike DeWine.

Did the bureau 'secretly' collect data?

The 2010 Dodd-Frank Act created the bureau and gave it authority to gather and compile information from a variety of sources, such as consumer complaints, voluntary surveys, surveys and interviews with consumers and financial service providers, and reviews of available databases. The law also contained privacy provisions.

We found examples dating back to 2010 of supporters and opponents commenting on the data collection. In an article in Bank Technology News, Sen. Elizabeth Warren, D-Mass., praised the idea of essential "real-time data collection" so that the bureau could be an "effective cop." An editorial in the Orange County Register quoted an expert who raised concerns about the bureau’s plans to collect data on consumers transactions.

A federal Government Accountability Report in 2014 discussed in detail how the bureau collected data from financial institutions and financial aggregators.

Jeff Sovern, who teaches consumer protection law at St. John’s University, said it would be hard to collect information about the functioning of consumer financial markets without seeing information about credit cards and mortgages.

"The bureau was established in part to keep the mortgage lending that led to the Great Recession from happening again, after all," he said.

The ad contained no citations for its point, although association spokesman Jon Thompson sent us news articles pertaining to both. Thompson pointed to Cordray’s testimony Jan. 28, 2014, before a House committee.

U.S. Rep. Sean Duffy, R-Wis., asked Cordray: "Would you object to getting permission from consumers, those people who you work for, before you collect and monitor their information?"

Cordray said if the bureau had to get individuals’ permission before it sought aggregate data about the credit card market, that "would have the purpose of completely making it impossible for the agency to have any kind of data to know what's going on in these markets."

Todd J. Zywicki, a George Mason University law professor and critic of the bureau under Cordray, said that most Americans don’t know that their private information is transmitted from banks to the government.

"In that sense, ‘secret’ seems like an accurate term to me," he said.

(News reports said that the Trump administration considered Zywicki to take over the bureau.)

'Hack' at consumer protection bureau

As for the claim that the information was hacked, the RGA pointed to Mulvaney’s response to a question during an April 12, 2018, Senate committee if the data had been hacked.

Mulvaney replied: "I want to be careful about what I say and I'll be happy to talk about this more in private, but we have been able to document about 240 lapses in our data security."

Mulvaney said an additional 800 lapses were suspected but hadn’t been confirmed.

Mulvaney provided similar information in January in a letter to Warren stating that before his tenure there were 233 confirmed breaches of personally identifiable information within the bureau’s consumer response system by the bureau or contractors. To put that number in context, the consumer bureau has handled more than one million complaints.

(A spokesman for the bureau provided PolitiFact with the letter sent to Warren but declined to answer questions.)

Mulvaney told senators he instituted a data collection freeze and had hired an outside party to test the integrity of the system.

On May 31, Mulvaney told his staff in an email that "after an exhaustive review by outside experts, including a comprehensive ‘white-hat hacking’ effort, we can lift that hold. The independent review concluded that ‘externally facing bureau systems appear to be well-secured.’"

Zywicki said that the use of the term "hack" in the ad is not correct.

"There have been hundreds of compromises of consumer information, but mainly they have been by inadvertently disclosing personally identifiable information by the contractors who collect the information that gets dumped into the consumer complaint database," he said.

Our ruling

A Republican Governors Association ad said that Richard Cordray "secretly collected hundreds of millions of credit card accounts and mortgages. Worse, Cordray failed to protect our information. It was hacked over 200 times."

It’s misleading to state that the data was collected in secret when the law that established that the bureau could collect data to protect consumers. If some consumers didn’t realize the data would be collected, that doesn’t mean it was a secret.

The use of the word "hack" is the wrong term -- it implies some nefarious person hacked into the data, and that’s not the case. There were breaches of personal information by the bureau or contractors.

We rate this claim Mostly False.