Banks Need to Bolt the Door Twice

Most of their security systems don?t work when it?s an inside jobJERSEY CITY

When the news broke recently that insiders at four banks in New Jersey had stolen and sold information from some 676,000 customer accounts?reportedly the largest ID theft in U.S. history?it was no big surprise to Richard O?Connell. The chief technology officer at AMIC Research says financial institutions focus on hackers and other outside threats but tend to ignore another group with the opportunity to steal personal information: employees.
?For many financial institutions, a big problem isn?t just the hackers who are trying to break in, but the people inside who walk out with or otherwise transfer information,? says O?Connell, whose Jersey City company designs security systems for banks and pharmaceutical firms. ?Most companies have plenty of rules and regulations that restrict the type and volume of customer information that employees are supposed to access. But all too often there?s little if any teeth behind them.?
According to published reports, employees at New Jersey branches of four institutions?Cherry Hill-based Commerce Bank; Charlotte, North Carolina-based Wachovia and Bank of America; and Pittsburgh-based PNC Bank?constructed databases of names and other information for sale to collection agencies and other businesses. The suspects allegedly accessed the data while they were on the job and then printed out or copied the information by hand. Commerce Bank did not respond to a call seeking comment.
What?s frustrating, says O?Connell, is that pattern-tracking and other kinds of software might have red-flagged the illicit activity and alerted management early on.
?Some programs can prevent people from engaging in cut-and-paste activity, while others will stop a user from printing a page,? he says. ?Other software?similar to the kind used by credit card companies to red-flag stolen accounts?can track the number of times certain accounts are accessed by an individual and then alert management if the number of searches suddenly jumps.?
The suspects in the New Jersey bank-data theft case, for example, accessed up to 50 customer accounts a day in the normal course of business. Their searches escalated to about 500 a day as they sought to steal information.
It is past time for banks to pay more attention to people on the payroll, says Captain Frank Lomia, a Hackensack detective who worked on this case and other ID-theft investigations. ?Banks appear to be concentrating on outsiders? attempts to get into their systems,? he says, ?but there doesn?t seem to be as much emphasis on preventing employees from misusing data.?
In fact, he says, New Jersey?s privacy laws are part of the problem. ?In New York state, banks tend to share information about problem employees, so there?s less of a chance for them to migrate from one institution to another,? Lomia says. ?New Jersey?s privacy laws keep banks here from doing that, so if an employer has suspicions about a worker he can?t easily communicate it to others in the industry. In this case, for example, some of the suspects left their employers [where they had lifted customer data] and moved on to other banks before they were arrested.? Nine people have already been arrested, and Lomia expects ?many more? will be collared.
Do New Jersey bankers lag behind other states when it comes to sharing information about suspect employees? Marshall McKnight, a spokesman for the state Department of Banking and Insurance, says the state agency does not regulate this kind of activity. According to Timothy E. Doherty, a spokesman for the New Jersey Bankers Association, many New Jersey banks participate in FinCrime, a national computer network that ties together financial institutions with police and other law-enforcement agencies, but that program targets money laundering and other ?outsider? crimes. He says names of suspicious employees would not be posted to FinCrime and that employers are leery of sharing such concerns. ?I?ve heard concerns that sharing details about employee performance could lead to a lawsuit,? says Doherty.
Of course there are other ways of losing important information. Last week, for example, sensitive information concerning 3.9 million Citigroup customers went missing when a UPS courier lost a box of computer tapes. Although there?s reportedly been no evidence of a heist in this case, the mishap added to bank customers? jitters.
?Financial institutions used to think there was only one way for their sensitive information to get out the door, and it was fairly easy to control it,? O?Connell says. ?But as more work is done in more places, including offshore, they?re realizing that there are a lot of ways for it to get out. Banks have got to pay more attention to where the information resides, how to identify and protect proprietary information and how to confirm that the right people are getting it.?
E-mail to [email protected]