Bank of America call center employee stole customer information
|
Date Reported:
6/2/10
Organization:
Bank of America
Contractor/Consultant/Branch:
None
Location:
Tampa, Florida
Victims:
Customers*
*Primarily customers with more that $100,000 in their accounts
Number Affected:
Unknown
Types of Data:
"name, date of birth, mailing address, tax identification number and telephonic password"
Breach Description:
"An employee in one of Bank of America's customer call centers has admitted he stole sensitive account information and tried to sell it for cash."
Reference URL:
St. Petersburg Times
The Register
Report Credit:
Robbyn Mitchell, St. Petersburg Times
Response:
From the online sources cited above:
TAMPA — A former Bank of America employee pleaded guilty to bank fraud in federal court Tuesday for attempting to sell customer information for a share in the profit.
[Evan] I think many organizations underestimate the risks posed by insiders. The impact of these breaches can be significant, and detection can be very difficult.
Brian Matty Hagen met with an undercover FBI agent at a Sun City Center restaurant on March 10 to sell him a customer's name, date of birth, mailing address, tax identification number and telephonic password, according to the plea agreement.
[Evan] I wonder how the FBI agents were originally tipped off. Did Bank of America inform the FBI, did someone else inform the FBI, or did Mr. Hagen make obvious mistakes in the manner in which he attempted to find an accomplice?
Hagen was an employee of Bank of America's call center and had access to customer information.
[Evan] In my experience, call center employees are often given more access to information than they need in order to complete their authorized tasks. Why would a call center employee need access to a customer's Social Security number? Does a Social Security number help to improve the service given to a customer? We know the answer to this question. Social Security numbers are used by financial institutions as identifiers and authenticators, and therein lies a big part of the problem.
Hagen admitted targeting customers with more than $100,000 in their accounts.
When one customer identified by the initials E.H.S. called to find out if automatic payments to a Netflix account had been stopped, Hagen captured the customer's data and turned it over to the undercover fed.
E.H.S. had a balance of almost $445,000.
[Evan] E.H.S. might want to send the FBI a thank you note.
A second agent later paid Hagen $2,500 — they had agreed on a quarter of all profits — and arranged another meeting, records show.
Hagen met with the second agent on April 7 and was told he'd been caught.
[Evan] Holy cow! Can you imagine the shock? The picture of this guy's face would be priceless.
A search by the FBI found that the potential loss for customers was more than $1.3 million.
[Evan] Even though Mr. Hagen was caught, he still cost the bank (and its customers) $1.3 million.
Hagen faces up to 30 years in prison, $1 million in fines, five years of probation and restitution of the $2,500.
Prosecutors agreed to recommend a much lower sentence in exchange for his cooperation.
Commentary:
Like I said earlier, insider breaches are sometimes very hard to prevent and detect. I am sure that the Bank of America did their background checks on Mr. Hagen and put him through the standard hiring practices. Despite the pre-hire due diligence, Mr. Hagen still committed fraud and cost the bank/customers over one million dollars in loss. So what could have been done to prevent this? Could prevention have cost less than $1,000,000?
Mr. Hagen and other call center employees have specific roles with specific responsibilities. Access to information must be limited to that which is required to fulfill their assigned (and authorized) responsibilities. If the same work can be done effectively without the use and/or disclosure of Social Security numbers (or other sensitive information), then restricting access to such information is only prudent. The use of Social Security numbers is probably acceptable given the bank's current call center processes. Perhaps an argument could be made that the bank's processes are in need of change.
It is safe to assume that Mr. Hagen's banking career has come to an end. Will Bank of America notify affected customers, or have they already?
Past Breaches:
Unknown
Posts Atom 1.0
wow! i work for a philippine call center and i think it is bank of america's call center policy on privacy that should be reviewed...
Reply to this