ID theft - Why It's Your Concern Too
1 comment(s)
The Countrywide data breach provides an example of how much damage can be caused when an employee has unfettered access to customer data. The number of customers impacted by this theft is truly staggering. It is estimated that approximately 17 million individuals' personal data was exposed. In an FBI affidavit, the alleged perpetrator, Rene Rebollo, estimated that he had stolen 20,000 records every week over the course of two years. To do so, Rebello admitted using a USB thumb drive to download Excel files containing the stolen data. Further, he acknowledged receiving $50,000 to $70,000 from selling the data.
This theft should never have been allowed to take place. If one of your bank's employees steals large amounts of data, do you want to try convince your customers that you didn't have the technology in place to monitor their activity?
The costs associated with this data theft are considerable. As part of class action lawsuit, 17 million customers will receive free credit monitoring. In addition, for customers that end up being victims of identity theft they will receive up to $50,000 per incident. Not to mention the legal cost of defending a class action lawsuit. If Countrywide had continued as a going concern (it was bought by Bank of America in 2008) it would also have suffered tremendous damage to its reputation.
Once a customer's data has been compromised at another institution, does that increase the probability that your financial institution will see fraud attempt(s) using the stolen identity? It is hard to tell, but consider the chart below that shows a simple, yet routine path for stolen data.
Once data is in the hands of criminals, where it ends up is anyone's guess. It may be used immediately, traded, or remain in the hands of the fraudster until they feel it can be put to best use. Alternatively, it may never be used to commit fraud. It is impossible to know for sure what happens to the data once it leaves the bank.
The more elements of the person's identity that are present, the more valuable the data will be to a fraudster. For example, if the stolen data set contains, social security numbers, addresses, and dates of birth, that bundle of data is more valuable than data that only contains addresses and dates of birth. Financial institutions must view their data with a "criminal's eye". Your customers' data must be protected at source. Granting access to mountains of data without policing what employees do with their access is asking for trouble.
Let's face it; Robello's activity was clearly unusual (to say the least!). Failing to detect the theft of 20,000 records as a one-time event is somewhat understandable. Failing to detect 20,000 records being stolen every week over the course two years is pretty much indefensible. Countrywide should have had the capabilities to flag his activity as unusual. Today's fraud detection tools would have easily determined that Robello was an outlier and flagged his activity for additional forensic analysis.
What tools do you have in place to stop a "Countrywide" data theft from taking place at your bank?