BofA Breach: 'A Big, Scary Story' $10 Million Loss Highlights Risks, Sophistication of Internal Breaches
An internal breach at U.S. financial giant Bank of America shows how some corporations do not focus enough attention on mitigating internal fraud risks.

According to news reports, a BofA employee with access to accountholder information allegedly leaked personally identifiable information such as names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, e-mail addresses, family names, PINs and account balances to a ring of criminals. With that information, the fraudsters reportedly hijacked e-mail addresses, cell phone numbers and possibly more, keeping consumers in the dark about new accounts and checks that had been ordered in their names.

Some 300 BofA customers in California and other Western states have reportedly had their accounts hit, and 95 suspects linked to the breach were arrested by the Secret Service in February.

BofA says it detected the fraud a year ago, but only recently began notifying affected customers of the breach.

"As we communicated to impacted customers, this situation involved a now former associate who provided customer information to people outside the bank, who then used the information to commit fraud against our customers," says BofA spokeswoman Colleen Haggerty. "Keeping customer information secure and confidential is one of our most important responsibilities, and Bank of America sincerely apologizes for this incident, and regrets any inconvenience it may cause our customers. We work hard to prevent fraud, and our customers who experience fraud on their accounts related to this incident will be reimbursed if they report it promptly to us."

Privacy expert and attorney Kirk Nahra calls the BofA incident "a big, scary story," and says account-management checks should have picked up on the fraud before more than $10 million was drained from customer accounts. "Money was missing, so there should have been some trigger just identifying that there was a problem," he says. "It's just weird that the problem wasn't picked up on sooner."

Protecting PII: A Widespread Concern

Julie McNelley, an Aite analyst, says the BofA breach underscores concerns consumers should have about sharing their personal information with any company, not just a financial institution. "It's a huge issue for all types of consumer information that is stored, and it's being heavily targeted by all kinds of breaches," McNelley says. "Organized crime either had an employee planted or reached out to an employee and got them in on the hack. We're seeing this more and more."

Despite growing concerns about internal threats, McNelley says banking institutions and other organizations can implement strategies to detect employee fraud. In some cases, they can even predict high probabilities for employee fraud.

McNelley's must-haves include:

  • Background checks. "When it comes to screening employees during the hiring process, a layered approach is necessary," McNelley says. Background checks are the norm, and public records could provide tell-tale signs about a certain candidate's propensity to commit fraud. Especially, if a bank employee committed fraud while working for another institution, banking networks will often include background information about these employees' previous work histories.
  • Prosecution. Be sure to press charges against employees who commit fraud. Many banking institutions are reluctant to prosecute because of bad publicity, but doing so establishes a public paper trail for other institutions to follow.
  • Behavior Monitoring. Implement and engage in behavior tracking. "When you have a teller who is accessing five times more accounts than any other teller in your bank, that could be a red flag that something is going on," McNelley says.

BofA Cleans the Mess

Going forward, BofA says it's working internally and with its customers to clean up the mess. "We take personal data protection very seriously," Haggerty says. "This includes safeguards ranging from background checks during the hiring process, monitoring employee access to customer personal data, and very clear policies that prohibit the improper use of customer data. In the event of a privacy compromise or fraud, we have in place aggressive account monitoring and refund policies for unauthorized transactions after an incident occurs to protect our customers. Customers impacted by this specific incident will also receive two years of free credit report monitoring."

As for the length of time it took BofA to notify affected customers about the breach, McNelley says she sees no red flags going up. "BofA was probably trying to figure out how far-reaching the fraud was and was working with law enforcement, so they had to keep some of it contained until they knew what they were dealing with."

Nahra, on the other hand, says he finds the delay somewhat perplexing. "I'm a little surprised, given at how sophisticated some of the big institutions are at picking up on fraud and irregularities," he says. "I don't know how this person did it. If he downloaded a lot of information to a thumb drive, you can track some of that. On the access points, you always want to look at how you can control access to information in the first place."

But access control, Nahra allows, is a touchy issue for banks and other entities, since it's difficult for corporations to limit employee access, especially to customer information that enhances the relationship and allows employees to better know and serve customers.

"We have a tension between privacy and security everywhere," Nahra says. "If I set up my bank website and make it incredibly hard to break in to, that means it makes it incredibly hard for the consumer to use. You've always got this tradeoff."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.





Around the Network