Countrywide insider steals then sells thousands of customer records
Technorati Tag: Security Breach
Date Reported:
8/1/08
Organization:
Bank of America
Contractor/Consultant/Branch:
Countrywide Financial Corporation
Full Spectrum Lending
Victims:
Customers and mortgage applicants
Number Affected:
"as many as 2 million"
Types of Data:
Names, addresses, telephone numbers, Social Security numbers, and other personal information
Breach Description:
"The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants."
Reference URL:
The Mercury News
KGW-TV Channel 8 News
Los Angeles Times
vnunet.com
Report Credit:
Thomas Watkins, Associated Press via The Mercury News
Response:
From the online sources cited above:
The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants.
[Evan] Employee theft and fraud cases are tough to swallow and challenging to prevent. These cases are significantly under reported.
The breach in security, which occurred over a two-year period though July.
[Evan] Two years without detection!
The insider was identified as Rene L. Rebollo Jr., 36, who had worked as a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division.
[Evan] With all the other subprime mortgage lending problems facing the country, now we have losers like this to add to the mess (for some people anyway).
He was arrested at his home in Pasadena and charged with unauthorized access to a financial institution's computers.
Authorities also arrested Wahid Siddiqi, 25, at his home in Thousand Oaks. Authorities alleged that he was a reseller of Countrywide data.
"Some, perhaps most, and possibly all the names were being sold to people in the mortgage industry to make new pitches," U.S. attorney's spokesman Thom Mrozek said.
[Evan] I don't know how a person could validate this.
Rebollo appeared in court Friday afternoon and was released on $80,000 bond.
Siddiqi was being held on a fraud charge pending a court appearance Monday
the FBI said Rebollo had voluntarily described the scheme
Rebollo said he would charge $400 or $500 for batches of thousands of "leads" -- personal and account information that presumably would help outside loan agents solicit new mortgages from the Countrywide applicants, some of whom had been denied loans by the Calabasas company.
Prosecutors suspect the data was eventually sold to companies that would then try to make other loans to the Countrywide customers, said Thom Mrozek, a spokesman for the U.S. attorney's office.
Authorities said they didn't know whether any of the information had been used for outright fraud, such as identity theft.
Rebollo would copy information on about 20,000 customers at a time on Sunday nights by using a Full Spectrum computer that did not have the same security features that other machines in the office had, according to the affidavit by FBI Special Agent Richard P. Ryan.
[Evan] This is a good example that demonstrates the importance of extending security and controls to all information systems with access to confidential information, whether it be a mobile system, a system at a subsidiary organization, a system at a branch office, or a system at a third-party partner location. The Full Spectrum computer used in this breach should have had the same preventative and detective controls applied to it as any other system used throughout Countrywide with access to confidential information. The fact that it didn't made this breach more probable and less detectable.
At that rate, the U.S. attorney's office said, Rebollo would have compromised up to 2 million customer profiles for about 2.5 cents each -- an astonishingly small amount considering the importance of the material.
Mortgage leads are among the most expensive for sale because of the potential payoffs to intermediaries when loans are made.
Social Security numbers alone generally fetch dollars, not pennies, since they can be used to open new bank accounts.
"It's the potential for new-account fraud that arises when Social Security accounts are compromised," said Beth Givens, director of the nonprofit Privacy Rights Clearinghouse.
"This guy obviously didn't do his homework. He doesn't know the value of these on the black market," she said.
[Evan] Does this reflect on Mr. Rebollo's intelligence? It guess it doesn't take a rocket scientist to breach the defenses that took millions of dollars and thousands of hours to build.
Countrywide detected the breach and alerted federal authorities, according to Suzy Martin, a spokeswoman for the company, which was acquired by Bank of America on July 1.
On July 7, a confidential witness working for the FBI ordered several thousand customer profiles for $4,000 from Siddiqi, according to the complaint.
The witness asked if the leads were "fresh" from Countrywide, to which Siddiqi allegedly said yes and added the data had full Social Security numbers, the complaint said.
"That raises the specter of significant problems for the Countrywide clients," Mrozek said.
If convicted, Rebollo could face up to five years in federal prison, and Siddiqi could face up to 15 years.
[Evan] Does 5 years seem like enough to you?
On July 15, Rebollo voluntarily turned over to the FBI a flash drive he used to download the information and a personal computer, according to Ryan.
[Evan] Today, a person can buy a 8GB flash drive for less than $30, and 8GB is enough storage capacity to store 80 meters of shelved books.
The agent said in his affidavit that he pulled up about 40 spreadsheets at random from the flash drive.
"I observed large quantities of names associated with several columns of numeric data," Ryan wrote. "These columns contained telephone numbers, addresses and Social Security account numbers. Each spreadsheet contained several thousand lines of data."
Rebollo's attorney later called to say Rebollo had revoked permission for the FBI to search the drive and computer, and the searches stopped "pending further discussions regarding Rebollo's potential cooperation in the investigation," Ryan said.
A criminal complaint against Rebollo said that he earned about $65,000 a year at Countrywide and had opened a personal bank account for holding what he estimated to be up to $70,000 in proceeds from Countrywide data sales.
[Evan] How much money will Rebollo earn in prison, and how much will he be able to earn when he gets out with a felony on his record? Long-term, he is probably a loser.
The complaint said Siddiqi sold computer discs containing data on Countrywide customers to a witness working for the FBI, taking in $4,000 for about 38,000 customer profiles.
Countrywide spokeswoman Susan Martin said 19,000 customers had so far been identified as having their identities compromised.
Victims were being contacted by mail and would be offered free credit monitoring services for two years, she said.
Countrywide Communications Vice President Susan Martin said affected customers would be notified by mail. A special hotline was set up at .
Commentary:
According to news reports, Mr. Rebollo may have compromised the confidentiality of up to 2,000,000 personal records. In reality the number may be much smaller, but the potential is there.
So how do we prevent these breaches from occurring? The short answer is that there is no short answer. There is no fool-proof (and I mean "fool") way to ensure that these breaches will not ever happen at your company, but remember that we (meaning information security professionals) are not in the risk elimination business, we are in the risk reduction business. We can analyze the risk of employee fraud as best we can and implement best practices such as regular background checks (if permitted by law), training and awareness programs, segregation of duties and job rotation, but at the end of the day, people are human. What tempts and motivates certain people is sometimes hard to understand and predict.
Past Breaches:
Unknown
Date Reported:8/1/08
Organization:
Bank of America
Contractor/Consultant/Branch:
Countrywide Financial Corporation
Full Spectrum Lending
Victims:
Customers and mortgage applicants
Number Affected:
"as many as 2 million"
Types of Data:
Names, addresses, telephone numbers, Social Security numbers, and other personal information
Breach Description:
"The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants."
Reference URL:
The Mercury News
KGW-TV Channel 8 News
Los Angeles Times
vnunet.com
Report Credit:
Thomas Watkins, Associated Press via The Mercury News
Response:
From the online sources cited above:
The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants.
[Evan] Employee theft and fraud cases are tough to swallow and challenging to prevent. These cases are significantly under reported.
The breach in security, which occurred over a two-year period though July.
[Evan] Two years without detection!
The insider was identified as Rene L. Rebollo Jr., 36, who had worked as a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division.
[Evan] With all the other subprime mortgage lending problems facing the country, now we have losers like this to add to the mess (for some people anyway).
He was arrested at his home in Pasadena and charged with unauthorized access to a financial institution's computers.
Authorities also arrested Wahid Siddiqi, 25, at his home in Thousand Oaks. Authorities alleged that he was a reseller of Countrywide data.
"Some, perhaps most, and possibly all the names were being sold to people in the mortgage industry to make new pitches," U.S. attorney's spokesman Thom Mrozek said.
[Evan] I don't know how a person could validate this.
Rebollo appeared in court Friday afternoon and was released on $80,000 bond.
Siddiqi was being held on a fraud charge pending a court appearance Monday
the FBI said Rebollo had voluntarily described the scheme
Rebollo said he would charge $400 or $500 for batches of thousands of "leads" -- personal and account information that presumably would help outside loan agents solicit new mortgages from the Countrywide applicants, some of whom had been denied loans by the Calabasas company.
Prosecutors suspect the data was eventually sold to companies that would then try to make other loans to the Countrywide customers, said Thom Mrozek, a spokesman for the U.S. attorney's office.
Authorities said they didn't know whether any of the information had been used for outright fraud, such as identity theft.
Rebollo would copy information on about 20,000 customers at a time on Sunday nights by using a Full Spectrum computer that did not have the same security features that other machines in the office had, according to the affidavit by FBI Special Agent Richard P. Ryan.
[Evan] This is a good example that demonstrates the importance of extending security and controls to all information systems with access to confidential information, whether it be a mobile system, a system at a subsidiary organization, a system at a branch office, or a system at a third-party partner location. The Full Spectrum computer used in this breach should have had the same preventative and detective controls applied to it as any other system used throughout Countrywide with access to confidential information. The fact that it didn't made this breach more probable and less detectable.
At that rate, the U.S. attorney's office said, Rebollo would have compromised up to 2 million customer profiles for about 2.5 cents each -- an astonishingly small amount considering the importance of the material.
Mortgage leads are among the most expensive for sale because of the potential payoffs to intermediaries when loans are made.
Social Security numbers alone generally fetch dollars, not pennies, since they can be used to open new bank accounts.
"It's the potential for new-account fraud that arises when Social Security accounts are compromised," said Beth Givens, director of the nonprofit Privacy Rights Clearinghouse.
"This guy obviously didn't do his homework. He doesn't know the value of these on the black market," she said.
[Evan] Does this reflect on Mr. Rebollo's intelligence? It guess it doesn't take a rocket scientist to breach the defenses that took millions of dollars and thousands of hours to build.
Countrywide detected the breach and alerted federal authorities, according to Suzy Martin, a spokeswoman for the company, which was acquired by Bank of America on July 1.
On July 7, a confidential witness working for the FBI ordered several thousand customer profiles for $4,000 from Siddiqi, according to the complaint.
The witness asked if the leads were "fresh" from Countrywide, to which Siddiqi allegedly said yes and added the data had full Social Security numbers, the complaint said.
"That raises the specter of significant problems for the Countrywide clients," Mrozek said.
If convicted, Rebollo could face up to five years in federal prison, and Siddiqi could face up to 15 years.
[Evan] Does 5 years seem like enough to you?
On July 15, Rebollo voluntarily turned over to the FBI a flash drive he used to download the information and a personal computer, according to Ryan.
[Evan] Today, a person can buy a 8GB flash drive for less than $30, and 8GB is enough storage capacity to store 80 meters of shelved books.
The agent said in his affidavit that he pulled up about 40 spreadsheets at random from the flash drive.
"I observed large quantities of names associated with several columns of numeric data," Ryan wrote. "These columns contained telephone numbers, addresses and Social Security account numbers. Each spreadsheet contained several thousand lines of data."
Rebollo's attorney later called to say Rebollo had revoked permission for the FBI to search the drive and computer, and the searches stopped "pending further discussions regarding Rebollo's potential cooperation in the investigation," Ryan said.
A criminal complaint against Rebollo said that he earned about $65,000 a year at Countrywide and had opened a personal bank account for holding what he estimated to be up to $70,000 in proceeds from Countrywide data sales.
[Evan] How much money will Rebollo earn in prison, and how much will he be able to earn when he gets out with a felony on his record? Long-term, he is probably a loser.
The complaint said Siddiqi sold computer discs containing data on Countrywide customers to a witness working for the FBI, taking in $4,000 for about 38,000 customer profiles.
Countrywide spokeswoman Susan Martin said 19,000 customers had so far been identified as having their identities compromised.
Victims were being contacted by mail and would be offered free credit monitoring services for two years, she said.
Countrywide Communications Vice President Susan Martin said affected customers would be notified by mail. A special hotline was set up at .
Commentary:
According to news reports, Mr. Rebollo may have compromised the confidentiality of up to 2,000,000 personal records. In reality the number may be much smaller, but the potential is there.
So how do we prevent these breaches from occurring? The short answer is that there is no short answer. There is no fool-proof (and I mean "fool") way to ensure that these breaches will not ever happen at your company, but remember that we (meaning information security professionals) are not in the risk elimination business, we are in the risk reduction business. We can analyze the risk of employee fraud as best we can and implement best practices such as regular background checks (if permitted by law), training and awareness programs, segregation of duties and job rotation, but at the end of the day, people are human. What tempts and motivates certain people is sometimes hard to understand and predict.
Past Breaches:
Unknown
Posted by Evan Francen at 8/4/2008 10:21 AM 
Categories: Bank of America, Full Spectrum Lending, Employee Fraud, Countrywide Financial
Categories: Bank of America, Full Spectrum Lending, Employee Fraud, Countrywide Financial
Posts Atom 1.0
please visit www.countrywidelawsuit.net if you are a current countrywide customer or have even applied ever in the past. Just becasue you were not notified that information was sold, that doesn't mean you are safe.
regards
Reply to this