Monday, June 13, 2011

Insider Abuse at Bank of America Costs $10 Million

According to the L.A. Times, an insider at Bank of America leaked information on 300 customer accounts to accomplices, leading to unauthorized withdrawls of more than $10 million. It's unclear how effective existing fraud detection tools were in uncovering the theft, as more than a year passed between the detection of the problem and the time customers were notified. Some customers only detected a problem after examining account activity or receiving notices from UPS that delivery of new checks had been attempted.
Bob Glithero, VP Business Intelligence, Veriphyr
In this case, a BofA employee with access to customer information is alleged to have leaked personally identifiable information such as names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, e-mail addresses, family names, PINs and account balances.

Jim Kollar, assistant special agent in charge of the Secret Service's Los Angeles office, said Secret Service and FBI agents arrested 95 suspects in the case in February. He said it's possible the suspects have gang ties.
It was a ring of people, based in Southern California, with an inside person at the bank pushing out the information," Kollar said. "They had a lot of people on the outside receiving that information."
Even with appropriate identity management controls, such as background checks and provisioning employees only with the minimum access necessary for their job function, companies will still face exposure from insiders who have appropriate rights for their jobs - and then abuse those rights. Verification that user activity is in line with authorized privileges and expected behavior is one effective defense against insider abuse: when you have a teller who is accessing many times more accounts than his peers over a given period, a follow-up investigation may be warranted.

However, there is also a need to provide verification and reporting of access and activity exceptions in a way that business managers and executives can quickly understand and that does not tax an already overworked IT staff. The verification process should be made more effective and more efficient by making better use of data the organization already has, without adding more hardware or software and by replacing manual activity whenever possible.
Veriphyr Identity and Access Intelligence provides effective verification that user activity corresponds with approved policies and authorized behavior. Veriphyr analyzes identities, privileges, and user activity to detect violation of access control down to the record level to deter snooping into sensitive data. There’s no hardware or software to install and no integration needed with your existing systems.
Sources:
(a) Bank of America data leak destroys trust - Los Angeles Times, May 24, 2011


No comments:

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.