Technology Can’t Fix Trust Breach

In the recent cases of customer data sales by bank employees, employers came face to face with their biggest security challenge: trusting their employees.

“It’s pretty much the toughest security problem to deal with,” says Rich Mogull, research vice president at Gartner, Phoenix.

‘Blatant Fraud’

At the end of May, Bank of America notified 60,000 customers that their records might have been included in those allegedly sold to Orazio Lembo. Lembo allegedly purchased data from the bank’s employees as well as those at Wachovia, Commerce Bancorp and PNC Financial. Wachovia sent the word out to 48,000 of its customers and like BofA, promised free credit reports for a year to affected consumers. Hackensack, N.J., police investigators estimate that at least 676,000 retail bank accounts are at risk and possibly as many as 1 million. They have not classified this as an identity-theft case, but should consumers turn out to be victims of financial fraud, case categorization could change.

Employees reportedly received US$10 for each customer record they manually copied off of computer screens or printed out of their employers’ databases. “It took four years to break the case because these were people who were authorized to pull credit reports and they copied that data in very manual, old-school ways,” Mogull says. “Employees were basically taking information out of the databases and out of the organization. It was blatant fraud.”

Lembo allegedly sold the information to collections agencies and law firms, paying his sources tens of thousands of dollars and making millions for himself. Ten people have been charged in the case.

The information on how the stolen records have been used has not been released. Data buyers seemingly operate legitimate businesses and might not have known the data was obtained fraudulently. “But credit agencies need to be more careful to vet where they get their information from,” Mogull says, acknowledging that this theft puts a greater burden on the innocent than the guilty. New regulation likely will target the data sales industry and its buyers. “They will fight it. I’ve never known an industry that hasn’t fought regulation.”

“There is a monster data market of information from sources that aren’t supposed to have that information,” says Jeff Moss, president of Black Hat, a Seattle-based computer security training and conference firm. Like journalists who will take scoops from seedy sources, data buyers still use the information.

He’s not against scaring employees — prospective data thieves and savvy data buyers — with regulation and notes that for some, it might provide greater employee accountability within organizations. But he acknowledges that laws might not do the trick. “Bank employees were risking their careers and lifetimes in jail for $10 a name. Laws can’t be directed at them. They weren’t enough to stop them before.”

Nothing Is Foolproof

Current software cannot guarantee fraud elimination. Content monitoring software tracks e-mail or FTP upload activity of data files, but these records more likely slow fraud down than alert data gatekeepers to clear illegal data transfer that can be shut down. And if employees print records, there’s no guarantee the organization will ever notice illegal data distribution.

“You’re trusting your employees to use your data only as they’re supposed to,” Mogull says.

Moss points out that the errant bank employees “were doing what they’d do in the normal course of their jobs. They were not really behaving that suspiciously.”

Mogull suggests that banks turn inward the software they’ve employed externally to watch account transaction activity and notify consumers when they see unusual patterns. These behavioral modeling tools profile individuals. When there are transactions that don’t match a customer’s profile, the bank calls the customer, inquiring about recent withdrawals, fund transfers or purchases.

That solution might help, but Moss notes that there is no technical counteraction. He says technology once sold to database-reliant industries such as casino entertainment sought to prevent employees from slowly draining data from the company’s files, but the time needed to assess a problem defeated its purpose.

“Inside employees who are misbehaving are very hard to stop,” he says. “It’s very frustrating.”