March 25, 2008

Pogo reports: big(gest) bank breach was covered up?

An anomoly surfaces on the breach scene. Lynn reports in comments via dark reading to Pogo:

With the exception of the Birmingham News, what may be the largest bank breach involving insider theft of data seems to have flown under the mainstream media radar. ...

In light of the details now available, the breach appears to be the largest bank breach involving insider theft of data in terms of number of customers whose data were stolen. The largest incident to date for insider theft from a financial institution involved the theft of data on 8.5 million customers from Fidelity National Information Services by a subsidiary's employee.

It is not clear at the time of this writing whether Compass Bank ever notified the more than 1 million customers that their data had been stolen or how it handled disclosure and notification. A request for additional information from Compass Bank was not immediately answered.

I would guess that the Feds agreed to keep it quiet. And gave the institution a get-out-of-jail card for the disclosure requirement. It would be curious to see the logic, and I'd be skeptical. On the one side, the damage is done, and the potential for a sting or new information would not really be good enough to compensate for a million victims.

On the other side, maybe they were also able to satisfy themselves that no more damage would be done? It still doesn't cut the mustard, because once identity victims get hit, they need the hard information to clear their credit records.

But, in the light of yesterday's post, let's see this as an exception to the current US flavour of breach disclosure, and see if it sheds any light on costs of non-disclosure.

Posted by iang at March 25, 2008 08:11 AM | TrackBack

Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, criticized the delay in public notification of the source of the breach.

"Visa and MasterCard have stipulated in their contracts with retailers that they will not divulge who the source is when a data breach occurs," Spitzer said. "We've been engaged in a dialogue for a couple years now about changing this rule.... Without knowing who the retailer is that caused the breach, it's hard for banks to conduct a good investigation on behalf of their consumers. And it's a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don't shop at that retailer."

Posted by: Secret Security! at March 26, 2008 07:11 AM

re: Liability for breaches: do we need new laws? Liability for breaches: do we need new laws? Has Banking Industry Overlooked Its Biggest Breach Ever?


Programmer who stole drive containing one million bank records gets 42 months; Only 250 customers notified of massive breach

from above:

The Compass Bank compromise is one of the largest bank-related breaches yet revealed, in terms of the number of customer records that were potentially exposed. The incident, however, appears to have surfaced for the first time only after the Birmingham News carried a story on the sentencing last week.

... snip ...

Posted by: Lynn Wheeler at March 26, 2008 08:05 PM

If hard police work determines that the data was obtained, but not leaked beyond the gang, why would customer notification help? Presumably, their risk is not changed by that kind of breach.

Posted by: Florian Weimer at April 4, 2008 03:54 PM

re: Pogo reports: big(gest) bank breach was covered up?

Insider Gets 42 Months for Stealing 1m Customer Records

from above:

According to court documents, Real stole Compass' database information in May 2007. The database included customer names, account numbers and passwords. He then used the information from the database to make counterfeit debit cards using a magnetic strip encoder and software purchased by Byrd. Between June and July 2007, the pair proceeded to use the counterfeit cards to access Compass customer accounts and withdraw funds from them, typically in amounts not exceeding $500 or so. The documents show that Real would wear disguises when making the ATM withdrawals -- in fact he was apprehended while wearing one.

... snip ...

Frequently breaches are discovered long before attackers are apprehended and all possible fraudulent activity has been identified.

In the past, breaches were kept quiet and any fraudulent activity was frequently treated as random activity. Breach notification allowed potential victims to take countermeasures (like closing account or freezing credit bureau records). There also is the possibility, publicity would help motivate preventive measures (crooks being prosecuted for fraudulent account activity but possibly never linked to breaches).

some what related post Hannaford case exposes holes in law, some say

The Identity Theft Resource Center Reports That Data Breaches More Than Doubled in 2008 First Quarter
Data Breaches More Than Doubled in 2008 First Quarter
8.3 Million Records Spilled in Data Breaches This Year
Data breaches more common
Grocery Data Breach Offers Important Endpoint Lessons

Posted by: Lynn Wheeler at April 4, 2008 06:03 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.