22 Banking Breaches So Far in 2010

Report: Hacking, Insider Theft Continue to be Top Trends
22 Banking Breaches So Far in 2010
UPDATED: There have been 173 reported data breaches so far in 2010, and 34 of these involve financial services companies.

This means that in less than one quarter of the year, we already have seen more than one-third of the 62 banking-related breaches reported in all of 2009.

The numbers are slightly skewed, says Linda Foley of the Identity Theft Resource Center (ITRC), the organization that tracks data breaches, because some of the 22 incidents actually occurred in 2009 but are just now being brought to light - particularly in Maryland, where the state's attorney general's office reported a slew of 2009 incidents on March 1 of this year. "I suspect there will be more [reports] coming," Foley says, "so the trend thus far is we're finally finding out about breaches that are just coming out."

But the new year's breaches are enough to convince observers that last year's trends are continuing. "2010 could be a tough year for everyone," Foley says.

2010 Trends
If the breach trends do continue as they did in 2009, then financial service companies will continue to experience malicious hacking and insider theft. The challenge for organizations such as the ITRC is that many organizations fail to report their breaches. "The problem is: We're not trying to embarrass a company, but inform everyone of what is happening out there."

Based on what Foley says she's seen so far in 2010, much information has been lost, "so there's a real need for businesses to adopt policies to protect data."

Despite the Federal Trade Commission's work in promoting the ID Theft Red Flags Rule, Foley says many businesses still don't want to comply with the requirements. "If you don't want to protect it, then don't collect the data," she advises these organizations.

For those organizations that do buy into data protection, they must deputize their employees to take the responsibility seriously. "You should be telling your employees why it is important, so they buy into the wanting to actively protect data, and so they don't see it as another chore," Foley says.

Of the breaches reported thus far in 2010, financial services breaches add up to 11.7 percent of the 173 incidents -- the second lowest percentage on the list. The remaining incidents break down as:

Business/Retail - 44%
Medical/healthcare -- 23%;
Government/military --15 %;
Education - 7%

List of Reported Breaches
Editor's Note: The following is a list of data breaches that have affected U.S. financial institutions in 2010. The information was compiled from the 2010 Data Breach Report by the Identity Theft Resource Center (ITRC), based in San Diego, CA.

ESB Financial, Emporia State Bank
Emporia, KS
Records Taken: 3,097
Type of Breach: Exposure of data on Web
Date: April 23

Emporia State Bank officials announced that 7 years ago a data backup was sent to an unauthorized storage source. A total of 3,097 customers’ personal data could have been exposed by the backup. An outside computer specialist did not realize what had happened, and knowledge of the problem did not surface for seven years, when someone stumbled onto information and numbers during an Internet search. Bank officials say that names, addresses, account numbers and, in some cases, Social Security numbers, would have been available to someone who found them on the Internet.

See Also: 2024 Global Threat Report- Infographic

PNC Bank
Pittsburgh, PA
Records Taken: Unknown
Type of Breach: Skimming
Date: April 15

The Western Pennsylvania Financial Crimes Task Force began an investigation into skimming incidents after it got information from PNC Bank that in January more than $200,000 in fraudulent credit and debit card purchases had been made in New York City and Washington, D.C. The investigators were able to trace the compromised accounts to ATMs in Pittsburgh, according to a criminal complaint filed in the case. Alexandra Razvan Serb and Mihai Popa, both Romanians, were arrested on April 15 and are charged with bank fraud, access device fraud and aggravated identity theft.


Bank of America
Charlotte, NC
Records Taken: Unknown
Type of Breach: Insider
Date: April 1

A North Carolina bank worker faces jail time for ATM fraud after allegedly changing the ATM computer code at Bank of America networks so that the machines would dispense cash and not record the transactions. The U.S. Attorney for the Western District of North Carolina filed documents in court on April 1, alleging that Rodney Reed Caverly plotted to deploy malicious computer code within the company's systems so that ATM machines would dispense cash without any record of a transaction. Caverly maintained and designed computer systems at Bank of America, including ATMs. With the malicious code in place, Caverly was able to take more than $5,000 during a seven-month period in 2009, say prosecutors.

Charles Schwab
New York, NY
Records Taken: Unknown
Type of Breach: Outside Network Intrusion
Date: April 6

A computer hacker was sentenced to 3 years in prison on April 6 for hacking into brokerage accounts at Charles Schwab in September 2006 and laundering more than $246,000, some of which he sent to co-conspirators in Russia. Aleksey Volynskiy also sold 180,000 stolen credit card numbers to a cooperating witness, directing them to be made into credit cards that could be used to withdraw money from ATMs.

LPL Financial Corporation
San Diego, CA
Records Taken: Unknown
Type of Breach: Stolen or missing hardware
Date: March 9

The LPL Financial Corporation informed the Attorney General of New Hampshire in a breach notification letter dated March 9 that one of its unencrypted portable drives was stolen from an employee’s vehicle. The company found out that the drive was stolen on February 24. The drive contained an undisclosed number of LPL Financial Corporation’s clients’ names, date of birth and Social Security numbers.

Fifth Third Bank
Grand Rapids, MI, Cincinnati, OH

Records Taken: Unknown
Type of Breach: Unknown Cause

A security breach through a third-party vendor has prompted Fifth Third Bank, Cincinnati, OH, to send new debit cards to an undisclosed number of banking customers in Michigan and Ohio. Fifth Third Bank has banking branches in 12 states. The third-party vendor was not identified, but a limited number of customers were sent new cards and a notification letter that stated the debit cards "may have been compromised," but that other personal data, including Social Security numbers was not accessed. The number of affected customers was not disclosed.

PNC Financial Services
Pittsburgh, PA
Records Taken: Unknown
Type of Breach: Outside Network Intrusion

PNC Financial Services says that former National City Bank debit accounts were compromised in a system wide breach that affects former National City Bank customers. National City Bank, based in Cleveland, OH, was acquired by PNC in December 2008. Bank spokesperson Fred Solomon says current PNC customers were not affected, and the National City Bank debit cards affected were only in the Cincinnati, OH area. The bank says the customers' debit cards were compromised shortly before the acquisition occurred in 2008. The bank would not reveal how many accounts were hit, or how much money was taken.

John Hancock Financial
Boston, MA
Records Taken: Unknown
Type of Breach: Stolen or missing hardware

John Hancock, a Boston, MA insurer owned by Toronto insurer Manulife Financial, reported on March 13 that a partner could not locate a CD containing customer information, including names, dates of birth, and Social Security numbers of 1,085 Massachusetts residents. The company said the CD was password-protected and encrypted, but has offered credit monitoring to customers whose information may have been compromised. The company did not disclose how many persons' data was on the disk.

TD Bank
Mount Laurel, NJ
Records Taken: 13
Type of Breach: Insider Theft

A former switchboard operator for TD Bank in Mount Laurel, NJ took customer information and gave it to accomplices who in turn withdrew more than $200,000 from 13 bank customers' accounts, says the U.S. Attorney's Office in Philadelphia. Talayah Little, 26, of Hainesport, NJ, has been fired by the bank and was indicted by federal agents on March 13.

US Bank
Richmond Heights, OH
Records Taken: Unknown
Type of Breach: Stolen or missing hardware

A financial advisor at US Bank in Richmond Heights, OH reported on March 1 that a laptop was missing from his desk. The advisor told police the laptop contained sensitive customer data.

Securities and Exchange Commission
Philadelphia, PA
Records Taken: Unknown
Type of Breach: Stolen or missing hardware

TD Bank, N.A. and T.D. Wealth Management Services reported to the Maryland Attorney General's office that a laptop stolen on June 11, 2009 from the office of the Securities and Exchange Commission in Philadelphia contained customer account information, names, and Social Security numbers. The letter was posted to the Maryland OAG site on March 1. Although the data were encrypted, the letter states, "it is possible that security access information may also have been stolen with the computer."

Assurity Financial Services
Englewood, CO
Records Taken: 487
Type of Breach: Outside Network intrusion

Colorado-based Assurity Financial Services reported to the Maryland Attorney General's office the unauthorized use of their database of clients in March 2009, among which were 487 Maryland clients. The letter was posted to the OAG website on March 1. The company did not state how many customers were affected nationwide. Assurity told affected customers that an unauthorized individual used customer information to either apply for payday loans or to setup bank accounts to accept the funds from the payday loan.

Virgin Money USA Inc.
Waltham, MA
Records Taken: Unknown
Type of Breach: Outside Network intrusion

Virgin Money USA reported to the Maryland Attorney General's office that a former employee had accessed Virgin Money USA customer information on its network. The letter was published on the OAG website on March 1. The former employee accessed names, social security numbers from mortgage applications. The former employee told investigators his intent was to generate business for himself and his new employer. The employee was fired by his new employer when the crime was revealed.

Ally Bank
Philadelphia, PA
Records Taken: Unknown
Type of Breach: Outside Network intrusion

According to the Maryland Attorney General's website, Ally Bank, an online bank based in Philadelphia, PA, informed the AG on August 27, 2009 that a former employee stole bank customers' names, addresses, dates of birth and social security numbers. There was no notification letter available on the OAG website.

Wells Fargo/Wachovia Bank
Charlotte, NC
Records Taken: 953
Type of Breach: Stolen or missing hardware

A backup hard drive containing the names, social security numbers and bank account information for 953 Wachovia customers was stolen from a law office in Irvine, CA used by Wachovia Dealer Services. In a notification letter to the Maryland Attorney General, the bank says the drive was stolen on June 11, 2009. The letter was posted to the OAG website on March 1 and did not state how many bank customers were exposed nationwide.

Partnership Federal Credit Union
Washington, DC
Records Taken: 22
Type of Breach: Accidental breach

The Partnership Federal Credit Union reported to the Maryland Attorney General on July 22, 2009 that an internal data file had been discovered on a computer outside of the secured network earlier in the summer. This may have potentially exposing personal and financial information. The letter was posted to the OAG website on March 1.

Telhio Credit Union
Columbus, OH
Records Taken: Unknown
Type of Breach: Insider Theft

Telhio Credit Union reported to the Maryland Attorney General in a December 22, 2009 letter that a former employee had downloaded a report with customer personal and financial information before leaving his employment in early August 2009. One Maryland resident's information was in that report. It was not stated how many others may have been affected nationwide.

M&T Bank
Baltimore, MD
Records Taken: 39
Type of Breach: Missing Paper Documents

M&T Bank reported to the Maryland Attorney General in a letter dated December 18, 2009 that a courier carrying work for a Baltimore branch was robbed on December 15, 2009. In the courier's bag were 39 customers' checks.

New York, NY
Records Taken: 61
Type of Breach: Accidental breach

BlackRock, a global investment firm, reported to the Maryland Attorney General in a letter dated October 29, 2009 that a third party (PNC Global Investment Servicing) delivered CDs containing personal shareholder information to another financial institution client in December 2008. At least a few of that client's employees accessed the data. The info included names, address, tax identification numbers, or social security numbers. No total breach number was given.

Citi Group
New York, NY
Records Taken: 600,000
Type of Breach: Accidental breach

About 600,000 Citigroup customers got a shock in February when they received their annual tax documents - with their Social Security numbers printed on the outside of the envelope. CitiGroup states that the numbers were surrounded by other numbers and letters "that resembled a mailing routing number." At least 50 of the customers have complained about the gaffe to Citi.

SunTrust Banks,
Hillsborough, FL
Records Taken: Unknown
Type of Breach: Skimming

According to a federal complaint filed in Florida four Bulgarian men put "skimmers" on ATM machines at SunTrust banks in Hillsborough and Pinellas counties last summer and skimmed identifying information on hundreds of bank accounts. One of the men has been arrested, the other three are still at large, say police.

ING Fund
Scottsdale, AZ
Records Taken: 106
Type of Breach: Exposure of data on Web

On January 25, an ING customer discovered that she could access client information on the ingfunds.com web site and notified her stockbroker. In investigating the situation, ING discovered that since August 2008, a file containing the names, addresses, Social Security numbers, and account numbers of 106 ING shareholders had been available on the web through a search engine. The company notified the New Hampshire Attorney General on February 3 that 17 residents of the state were affected.

Ameriquest Mortgage
Minneapolis, MN
Records Taken: 100
Type of Breach: Insider Theft

A man who worked for Ameriquest Mortgage Company for 6 weeks stole enough mortgage application information to steal nearly 100 people's identities. According to the federal indictment against him, Jason Tauer, a Robbinsdale, MN resident worked for Ameriquest from March 15 through April 29, 2005. Only a few months later, money began disappearing from Ameriquest customers' bank accounts and credit card accounts. In all, Tauer stole $150,000 from his victims.

First Interstate Mortgage Corp.
Las Vegas, NV
Records Taken: 230
Type of Breach: Missing paper documents

Gregory Navone, a mortgage broker in Las Vegas who discarded consumers' personal financial records in a publicly- accessible dumpster paid a $35,000 civil penalty to
settle Federal Trade Commission charges according to a FTC statement on January 21. According to an FTC, the defendant improperly disposed of about 40 boxes of sensitive consumer records collected by companies he had owned, including tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers' licenses, and at least 230 credit reports.

Lincoln National Financial Securities
Radnor, PA
Records Taken: 1,200,000
Type of Breach: Exposure of data on Web

A vulnerability in the portfolio information system for broker-dealer subsidiaries of Lincoln National Corporation potentially exposed the records of 1,200,000 people; 18,900 were New Hampshire residents. Lincoln National notified the Attorney General of New Hampshire on January 4, that although an outside forensic review found no reason to believe that client data were actually accessed or misused, "information such as names, addresses, Social Security numbers, account numbers, account registration, transaction details, account balances, and in some cases, dates of birth and email addresses had been potentially exposed."

Suffolk County National Bank
Long Island, NY
Records Taken: 8,300
Type of Breach: Outside Network intrusion

Hackers stole the login credentials for more than 8,300 customers of Suffolk County National Bank after breaching its security starting on Nov. 18, 2009 and accessing a server that hosted its online banking system. The intrusion happened over a six-day period and was discovered on December 24 during an internal security review. In all, credentials 8,378 online accounts were pilfered, a number that represents less than
10 percent of the bank's total accounts.

Eastern Bank Corp.
Lynn, MA
Records Taken: 2,500
Type of Breach: Accidental breach

Eastern Bank Corp. of Lynn, MA disclosed in September 2009 that it mailed financial data regarding about 2,500 customers to the wrong addresses. Bank spokesperson Joe Bartolotta, says the bank welcomed the new Massachusetts state law requiring strong data security measures.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.