Lots of people are fighting the recession by going back to school to broaden their skills. A decent idea, but not if you’re using identity theft to help pay tuition.

Federal prosecutors last week accused former Federal Reserve Bank of New York IT analyst Curtis Wiltshire, 34, of stealing personal information from other Fed bank employees to apply for about $73,000 in student loans. His brother, Kenneth Wiltshire, 40, allegedly stole the identities of two federal employees as part of a scam to borrow money to pay for a 2006 Sea Ray 340 Sundancer speedboat.

Curtis might be earning his degree in the slammer: He was charged with bank fraud and ID theft and faces more than 30 years in jail if convicted. Kenneth was charged with mail fraud and identity theft and could be speeding off to jail for up to 22 years. Curtis was fired from the Fed bank shortly after investigators in February found two student loan applications on a thumb drive attached to his work computer.
In the arrest affidavit, FBI Special Agent Cordel James said Curtis Wiltshire had access to computer files containing a treasure trove of information about the names of employees, dates of birth, social security numbers, and photographs.

The takeaway for banks isn’t to worry about employees looking to finance a higher education or who show a sudden interest in water sports, but rather to be aware of how very vulnerable sensitive employee data still is to insider threats. Part of the problem is many insiders, particularly workers with access to databases, have jobs—or used to have jobs—that require and allow them to see enough information to compromise other employees or customers. For example, more than 1.3 million former employees still have access to sensitive internal systems at their former companies, according to corporate security firm Cloakware.
“Unauthorized people will always try to get information they aren’t allowed to see, but authorized people will do unauthorized things with data that they can get to,” says Steve Katz, founder and president of Security Risk Solutions.

The incident also sheds light on emerging encryption technologies that could help combat internal breaches, such as  “format preserving encryption,” a product offered by firms such as Voltage Security, which applies strong encryption to specific fields of structured data stored in a database in a manner that doesn’t alter the size of the field. That gives the appearance that the data actually hasn’t been encrypted, throwing the crooks off base.

“The saboteur thinks he is getting real addresses and birth data, but if you put the numbers together it makes no sense,” Katz says. “It’s actually random data.”

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.