[ISN] Bank security breach may be biggest yet

InfoSec News isn at c4i.org
Tue May 24 04:55:36 EDT 2005


May 23, 2005

NEW YORK (CNN/Money) - Bank of America Corp. and Wachovia Corp. are
among the big banks notifying more than 670,000 customers that account
information was stolen in what may the biggest security breach to hit
the banking industry.

Account information on the customers was illegally sold by bank
employees to a man identified as Orazio Lembo, whom police said was
doing business by illegally posing as a collection agency.

When police in Hackensack, N.J., first announced arrests in the case
on April 28, they estimated that more than 500,000 people were
affected. That number was raised to 676,000 Friday. Because some
people have more than one account, Hackensack Police Chief Charles
"Ken" Zisa says the number of accounts breached may top 1 million.

"As this gets going, these numbers are going to go up and up,"  
Hackensack Detective Capt. Frank Lomia told CNN earlier Monday, adding
that more arrests may be coming in the case.

The data-theft may have been the biggest ever in banking, the
Hackensack, N.J., police department said in a statement, citing an
unnamed Treasury Department official.

Of the four banks involved in the case, Bank of America (up $0.01 to
$46.58, Research), the nation's No. 2 bank, has notified 60,000
customers of the problem. Wachovia (Research) has notified 48,000

Customer account numbers and balances were allegedly sold to Lembo,
who then sold the information to collection agencies, the Hackensack
police department said in a statement.

Wachovia customers whose account information was stolen have received
complimentary one-year credit monitoring service and each account will
also be monitored by the bank, a Wachovia spokesman told CNN, adding
that two former Wachovia employees have been charged in the case.

Bank of America spokeswoman Alexandra Liftman said the bank was
notifying customers affected, but added there was no evidence of
account fraud or identity theft. Customers affected would be offered
free credit monitoring, she said, adding Bank of America is
cooperating with law enforcement officials and conducting its own
internal investigation.

One associate who was named by police is "no longer with the bank,"  
Liftman said.

Charges filed

Last month, New Jersey police arrested and charged nine people,
including seven bank employees and Lembo, who operated DRL Associates,
the bogus collection agency, Hackensack police said. A tenth person
was subsequently arrested. DRL did not qualify as a collection or
detective agency, the police said.

"Based on forensic examination of Lembo's computers, it was determined
that he had employed upper-level bank employees to access and identify
individual accounts in their respective banks," the police statement
said. "That information was then sold to his clients, which included
more than 40 law firms and collection agencies."

Lomia told CNN that Lembo paid $10 a name, convincing the bank
employees that they wouldn't get caught. He said the department has
not yet classified this as an identity theft case but is watching it

In addition to confidential bank information, DRL also obtained
employment information from the manager of the New Jersey Department
of Labor in Jersey City, Hackensack police said.

Police estimate that Lembo made several million dollars over the past
four years; and that his informants each made tens of thousands of
dollars in the scheme.

The department said it is continuing its investigation, and the
Department of the Treasury and the Internal Revenue Service also are

The FBI in Newark told CNN it is not handling the case, but that the
Secret Service may become involved.

Lomia said the law firms that allegedly sought Lembo's services are
part of "phase two" of the investigation.

Other banks affected by the theft ring are Commerce Bancorp
(Research), based in Cherry Hill, N.J., and PNC Financial Services
Group Inc. (Research) PNC said it is cooperating with Hackensack


More information about the ISN mailing list