Bank of America Corp. is working to recover from two data breaches allegedly perpetrated by insiders.
In one incident, a former B of A employee was arrested in California and charged with crimes connected to the theft of customer data that was then sold to crooks. In the second incident, Samuel Kioskli, a former Diebold Inc. employee, was charged with stealing $200,000 from seven Bank of America ATMs.
The cost of the data theft incident, about $10 million, was not substantial, but consumer fears over lost data and identity crime is a major problem for all banks. The suspect's name has not been released, since the court case is still under seal.
The stolen data included names, addresses, Social Security numbers, driver's license numbers, birth dates, email addresses, mother's maiden names, PINs and account balances. These have already been used to commit fraud. One victim told the Los Angeles Times that crooks ordered checks in his name and also initiated money transfers.
B of A, of Charlotte, N.C., has been notifying customers, but has not revealed details of the case, other than it involves a now-former staffer who gave customer data to people outside of the bank. B of A did not say how the suspect allegedly breached its database, nor has it said how many consumers were victimized.
Eloise Hale, a B of A spokeswoman, on Tuesday apologized for the incident, and said B of A has a wide range of protections in place to prevent insider fraud, including background checks during hiring processes and monitoring employee access to personal data.
"We have clear policies about the improper use of customer data, and when a compromise or fraud does occur, we have a strong refund policy for unauthorized transactions," said Hale, who would not provide specifics on B of A's employee data-access policies and controls, citing security concerns.
Kioskli was accused of using his Diebold work card key to steal money from machines in the San Francisco Bay Area.
Mike Jacobsen, a Diebold spokesman, said the company's technology enables it to know exactly where and when an automated teller machine is accessed by maintenance staffers. In this case, the suspect, whose employment was terminated shortly after the incident, was identified by Diebold, who then notified customers and authorities.
"In our industry you run the risk of activity of this nature," Jacobsen said. The suspect reportedly tried to replace stolen cash with counterfeit money, though Jacobsen said no "fake cash" was dispensed by compromised ATMs.
"The key is to have processes and the right kind of technology in place to allow you to react quickly," he said.
The incidents shed light on how hard it is for banks to fight insider crime, as insider fraud techniques skirt most anti-money-laundering protections and other technology safeguards. The siloed nature of banks also makes it tough to track internal fraud.
New options have emerged in recent months, such as systems that "fingerprint" personal devices such as mobile phones and USB ports, both of which are frequently used by insiders to obtain internal data.
Other strategies include the melding of social network analysis, historical versioning and Web-driven profiling of how users engage the bank and outside contacts.
Detica and SAS Institute Inc. offer versions of social network analysis aimed specifically at banks, and International Business Machines Corp. offers an enterprise identity insight product that can be used as part of fraud prevention. Other companies offer link and activity analysis to track a user's external activity and online relationships.
