BofA Breach: 'A Big, Scary Story'

$10 Million Loss Highlights Risks, Sophistication of Internal Breaches

By , May 25, 2011.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
BofA Breach: 'A Big, Scary Story'

A

See Also: 5 Must-Haves for an Enterprise Mobility Management (EMM) Solution

n internal breach at U.S. financial giant Bank of America shows how some corporations do not focus enough attention on mitigating internal fraud risks.

According to news reports, a BofA employee with access to accountholder information allegedly leaked personally identifiable information such as names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, e-mail addresses, family names, PINs and account balances to a ring of criminals. With that information, the fraudsters reportedly hijacked e-mail addresses, cell phone numbers and possibly more, keeping consumers in the dark about new accounts and checks that had been ordered in their names.

Some 300 BofA customers in California and other Western states have reportedly had their accounts hit, and 95 suspects linked to the breach were arrested by the Secret Service in February.

BofA says it detected the fraud a year ago, but only recently began notifying affected customers of the breach.

"As we communicated to impacted customers, this situation involved a now former associate who provided customer information to people outside the bank, who then used the information to commit fraud against our customers," says BofA spokeswoman Colleen Haggerty. "Keeping customer information secure and confidential is one of our most important responsibilities, and Bank of America sincerely apologizes for this incident, and regrets any inconvenience it may cause our customers. We work hard to prevent fraud, and our customers who experience fraud on their accounts related to this incident will be reimbursed if they report it promptly to us."

Privacy expert and attorney Kirk Nahra calls the BofA incident "a big, scary story," and says account-management checks should have picked up on the fraud before more than $10 million was drained from customer accounts. "Money was missing, so there should have been some trigger just identifying that there was a problem," he says. "It's just weird that the problem wasn't picked up on sooner."

Protecting PII: A Widespread Concern

Julie McNelley, an Aite analyst, says the BofA breach underscores concerns consumers should have about sharing their personal information with any company, not just a financial institution. "It's a huge issue for all types of consumer information that is stored, and it's being heavily targeted by all kinds of breaches," McNelley says. "Organized crime either had an employee planted or reached out to an employee and got them in on the hack. We're seeing this more and more."

Despite growing concerns about internal threats, McNelley says banking institutions and other organizations can implement strategies to detect employee fraud. In some cases, they can even predict high probabilities for employee fraud.

McNelley's must-haves include:

  • Background checks. "When it comes to screening employees during the hiring process, a layered approach is necessary," McNelley says. Background checks are the norm, and public records could provide tell-tale signs about a certain candidate's propensity to commit fraud. Especially, if a bank employee committed fraud while working for another institution, banking networks will often include background information about these employees' previous work histories.
  • Prosecution. Be sure to press charges against employees who commit fraud. Many banking institutions are reluctant to prosecute because of bad publicity, but doing so establishes a public paper trail for other institutions to follow.
  • Behavior Monitoring. Implement and engage in behavior tracking. "When you have a teller who is accessing five times more accounts than any other teller in your bank, that could be a red flag that something is going on," McNelley says.

BofA Cleans the Mess

Going forward, BofA says it's working internally and with its customers to clean up the mess. "We take personal data protection very seriously," Haggerty says. "This includes safeguards ranging from background checks during the hiring process, monitoring employee access to customer personal data, and very clear policies that prohibit the improper use of customer data. In the event of a privacy compromise or fraud, we have in place aggressive account monitoring and refund policies for unauthorized transactions after an incident occurs to protect our customers. Customers impacted by this specific incident will also receive two years of free credit report monitoring."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE How NSA Hacked North Korean Hackers

The FBI's attribution of the attack against Sony Pictures Entertainment to North Korea was based,...

Latest Tweets and Mentions

ARTICLE How NSA Hacked North Korean Hackers

The FBI's attribution of the attack against Sony Pictures Entertainment to North Korea was based,...

The ISMG Network