Identity Theft: Lender Countrywide's Insider Case

Two Years of Thievery Nets 2 Million Mortgage Applicants A former Countrywide Financial Corp. employee was arrested by the Federal Bureau of Investigation earlier this month in Los Angeles for stealing and selling sensitive personal information, including social security numbers on an estimated 2 million mortgage loan applicants from around the country for the last two years. (See related: )

According to Privacy Rights Clearinghouse (www.privacyrights.org) the insider, Rene Rebollo, was a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division. The FBI's statement alleges Rebollo was taking the personal information of mortgage customers, including social security numbers, storing them on a USB thumb drive. Rebollo told the law enforcement he profited anywhere from $50,000 to $70,000 from the sale of the Countrywide-owned data. In an FBI affidavit Rebollo estimated he downloaded about 20,000 customer profiles a week in excel spreadsheets onto the flash drives and then took the spreadsheets and emailed them to buyers from business center stores. Countrywide was already facing money troubles due to the subprime loan meltdown and was bought by Bank of America earlier this year.

Rebollo lost his job with Countrywide in July. He now faces up to five years for the theft. Another man, Wahid Siddiqi, was arrested for allegedly buying the stolen data and also selling it, he faces 15 years in prison.

"While this breach is bad news for Countrywide and even more bad news for their mortgage customers whose information was stolen, the question for other industry businesses out there is - what can you do to protect your institution against this?" says Ken Dunham, Director of Global Response at iSight Partners, a Washington, DC-based risk mitigation company.

A recent study showed that lack of security or plain incompetence was the root cause for the majority of breaches, Dunham notes. "How to stop these types of breaches? I remember when some government agencies resorted to putting super glue in the USB ports to stop staff from using them," he says. There is always a way to completely protect against it, but at what cost he asks, the result is cost prohibitive and counter productive, often sending the wrong message to employees.

The threat of the trusted insider looms large for financial institutions, Dunham notes. "We've known for a long time that insiders are the most costly of attacks, they have trusted access and infrastructure, not that outsiders can't do some pretty clever things on a network, but an insider can do damage pretty quick, because they know where to look," he observes.

The reality is, he says, it is difficult to protect against the insider. "So financial institutions have to have asset controls and not take anything for granted, even though a lot of companies do," he says.

Ways for financial institutions to stop the inside threat include encryption and strong biometric authentication measures and a data-centric protection model. "All these breaches could have been easily prevented by protecting data at the source�and without organizations having to change or modify their databases and applications. Leading analysts and experts agree that a data-centric protection model is a must," says Mark Bower, director of Information Protection Solutions at Voltage, a security vendor. "These days, there should be no excuse for breaches such as these. Institutions can avoid compliance issues, avoid the fines, and avoid repetitive ongoing disruptive audits that are often mandatory after breaches take place," Bower concludes.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network