Euro Security Watch with Mathew J. Schwartz

Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

SunTrust: 1.5 Million Clients' Details Potentially Stolen

Blame Insider Theft, 'Not a Data Breach,' Claims Atlanta Bank's CEO
SunTrust: 1.5 Million Clients' Details Potentially Stolen
SunTrust's homepage fails to mention that 1.5 million customers' personal details may have been stolen and shared "with a criminal third party."

Great news: "SunTrust to offer free identity protection ... at no cost on an ongoing basis."

See Also: BEC Defense: Advanced Tactics to Shield Your Organization

Of course, nothing comes for free.

Indeed, the announcement of the supposed freebie comes by way of a press release from Atlanta-based SunTrust Banks, which some rank as being the country's fourteenth biggest bank.

But the announcement comes with further red flags. Notably, it was published on Friday, which is the day that many organizations release bad news in the hope that it will get buried by the weekend news cycle.

The press release also announces: "SunTrust cares deeply about the privacy and security of client information."

That, of course, is corporate-speak for a business that has lost control of its customers' data privacy and information security, potentially leading to fraud.

Here's how: "[SunTrust] became aware of potential theft by a former employee of information from some of its contact lists," the release states. "Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed."

The suspected theft of the contact information didn't result in any other types of personally identifying information - Social Security numbers, account numbers, PINs, user IDs, passwords or driver's license information - being compromised, SunTrust says.

The bank notes that so far, it hasn't received any reports of "significant fraudulent activity" that might indicate that the potentially stolen information has already been monetized by attackers.

Of course, such activity can take months or years to come to light (see LinkedIn Breach: Worse Than Advertised).

But the bank promises that clients "will not be held responsible for any loss on their accounts as a result" of the suspected data exposure.

Earnings Call Alert

News of the suspected breach first came to light during a Friday earnings call.

"In conjunction with law enforcement, we discovered that a former employee while employed at SunTrust may have attempted to print information on approximately 1.5 million clients and share this information with a criminal third party," Bill Rogers, SunTrust's chairman and CEO, said during the call.

"We believe this information included names and account balances, but it did not include personally identifiable information such as Social Security numbers, account numbers and users' IDs, passwords or driver's license numbers," he added. "We and third parties have done forensic analysis on these accounts, and we have not identify significant fraudulent activity regarding the effect of the accounts."

Don't Say 'Data Breach'

On the earnings call with analysts, Bank of America's Erika Najarian asked Rogers, in light of the "data breach issue," what sorts of spending the bank might be facing to improve its systems so that an insider wouldn't have the ability to access and exfiltrate so much data at once.

"This was not a data breach," Rogers responded.

He also acknowledged that "clearly that employee was not authorized to get that level of information; we clearly are reviewing systems and capabilities - but it's not a disproportionate level of investment. This is something we've been investing in for a long time; we're going to continue invest ... This is unfortunately the world we live in, and [we] will continue to have a high level of investment that we have in the past."

Analysts at independent investment banking advisory firm Evercore were more circumspect. "While management appears to be proactively addressing the data issue, we expect a degree of uncertainty to persist as the duration, breadth and financial impact of any related investigations (both internal and external) are not yet known," they wrote in a client note, Reuters reported.

Fraud-Spotting Fun

To provide prepaid identity theft monitoring services, SunTrust isn't using Atlanta-based firm Equifax, which offers such services, but rather one of its rivals: Dublin-based Experian.

SunTrust says it's also monitoring the 1.5 million clients' accounts, including their FICO scores, for signs of fraud.

"Ensuring personal information security is fundamental to our purpose as a company of advancing financial well-being," SunTrust CEO Rogers says in a statement explaining how his company failed to ensure customers' information security well-being.

"We apologize to clients who may have been affected by this," he adds. "We have heightened our monitoring of accounts and increased other security measures."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.