Bank Insiders Allegedly Sell Customer Data
by Mary Beth Guard
I was already in a bad mood before I saw this weekend's news. I had had a call last week from a brokerage firm I formerly used, asking for my new address and new phone number. When I questioned the purpose (since I no longer have an account with them) and called their fraud department, I was told that three data tapes were missing from a shipment of customer data tapes being transported by the firm to a secure offsite facility. My personal information was on one of those three tapes and they were trying to notify me. "Here we go again," I thought. I've already been an ID theft victim once. I don't want to repeat the experience.
So, I was in that frame of mind when I read the news this weekend about what analysts are describing as possibly the biggest theft of bank customer information ever. Police in Hackensack, New Jersey have charged nine individuals in connection with a scheme under which financial records of bank customers were allegedly stolen and sold to collection agencies, including account numbers and balances. Seven of those charged are bank employees, described as "upper level" employees by New Jersey police. It's bad enough when an individual is victimized by a garden variety crook. It's too heinous to contemplate when the crook is aided by trusted employees of financial institutions.
A quick look at the case outlined by the police:
- The records of more than 500,000 bank customers were compromised.
- The bank employees were allegedly paid tens of thousands of dollars (at $10 a whack!) to give the information to 35-year old ringleader Orazio Lembo. Lembo reportedly ran an illegal detective agency out of his apartment.
- The activity allegedly took place over a period of four years.
- Financial institutions whose employees were allegedly involved include Commerce Bancorp, Inc., PNC Financial Services Group Inc., Bank of America Corp., First Union, and Wachovia. (Some had worked for one institution, then later for another. At the time of the arrests, four worked for Commerce Bank; one for Bank of America, one for Wachovia Bank, and one for First Union/Wachovia.)
- Charges against the bank employees include: commercial bribery; conspiracy; and disclosing from a database.
- Prison terms could be up to 40 years for each of the bank employees, if convicted.
- A number of collection agencies and law firms are now being investigated for purchasing the information from the ringleader.
Section 521 of the Gramm-Leach-Bliley Act makes it a crime for any person to:
"obtain, attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, customer information of a financial institution relating to another person" through false, fictitious, or fraudulent means. Certainly, the ringleader and the financial institution employees (if the charges are proven) are culpable, but the collection agencies and law firms who utilized Lembo for his supposed skip tracing services will have plenty to answer for as well.
So, what should your institution be looking at in light of this developing story?
- Have you amended your information security program in light of the March, 2005 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice? That guidance from the thrift and banking agencies took effect March 29, 2005, so your work should already be done and your response program should be ready. (NCUA's guidance was published May 2, 2005 -- the other regulators published theirs in March.)
Under the guidance, which is directly designed to address ID theft problems, it specifically states that financial institutions should take preventative measures to safeguard customer information against attempts to gain unauthorized access to the information. As examples, they say a financial institution should:
- place access controls on customer information systems;
- conduct background checks for employees who are authorized to access customer information
- develop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems that occur.
The minimum components of a response program are set forth in the guidance. They include such things as assessing the nature and scope of an incident and notifying customers when warranted.
- Do you recognize that the weakest link in any information security program is always the human element? If your employees are not properly hired, trained, and monitored, breaches can occur. And training isn't optional -- it's mandatory. Under the 2001 Interagency Guidelines for Safeguarding Customer Information, information security awareness training is required.
- I can imagine some employees justifying conduct of the type these employees were arrested for by thinking, "Well, he's just going to sell it to collection agencies and attorneys who are only going to use it to collect debts owed by these customers. What's the harm?" The harm is that the customer's privacy is breached in a manner simply not permitted by law. Their information is being sold and employees are personally benefiting from the sale. Trust in the institution erodes and reputations are harmed. When's the last time these folks read their institution code of ethics or had training in confidentiality?
- Who has access to customer data within your institution? Your privacy policy and information security program should describe who has access to what and it should be on a "need to know" basis. An employee who works exclusively in the safe deposit area, for example, shouldn't have carte blanche access to information from customer deposit accounts. The more individuals who have access, the more at-risk customer information is. Re-examine your access policies. Refine them, if necessary. In any event, make sure actual access rights don't exceed those outlined in the policy.
- Don't forget that it wasn't all that long ago the regulators warned of organized gangs using coercion and threats of bodily harm to persuade bank employees to assist them in fraud schemes. This would be a good time to review the suggestions we dispensed at that time to help you protect your existing tellers against coercion and threats from gangs; deter and detect this type of fraud; and spot potential "gang plants" when they apply for teller positions. Read "When Tellers Are Targeted: Part 1" and "When Tellers Are Targeted: Part 2".
- Talk through the situation with your marketing and legal departments. If something similar were to occur at your institution, how would you proceed? How long would it take you to pull together a team to notify affected customers? How would you structure a press release? How would you get the word out to your call center and frontline employees for the inevitable questions that would arise? Does everyone know who to route media inquiries to?
It's a sad day for the banking industry. We can only hope that institutions will use this as a rallying point from which to redouble their efforts to truly protect customer information -- not just from the wolves on the outside, but the scary people that might be working on the inside.
Related Links
MSNBC's news story has a link to a video report about the crime. Click the launch button on the page this links to.
Copyright, 2005, Bankers Online. First published on BankersOnline.com May 2, 2005.
Privacy Policy Disclaimer Recommend This Site ! Contact Us
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
|
Print Friendly!
Email This Article!
Discuss NOW!