Mon 23 May 2005
CNN, via Slashdot, reports:
NEW YORK (CNN/Money) - Bank of America Corp. and Wachovia Corp. are among the big banks notifying more than 670,000 customers that account information was stolen in what may the biggest security breach to hit the banking industry.
Account information on the customers was illegally sold by bank employees to a man identified as Orazio Lembo, whom police said was doing business by illegally posing as a collection agency.
When police in Hackensack, N.J., first announced arrests in the case on April 28, they estimated that more than 500,000 people were affected. That number was raised to 676,000 Friday. Because some people have more than one account, Hackensack Police Chief Charles “Ken” Zisa says the number of accounts breached may top 1 million.
“As this gets going, these numbers are going to go up and up,” Hackensack Detective Capt. Frank Lomia told CNN earlier Monday, adding that more arrests may be coming in the case.
The data-theft may have been the biggest ever in banking, the Hackensack, N.J., police department said in a statement, citing an unnamed Treasury Department official.
Of the four banks involved in the case, Bank of America (up $0.01 to $46.58, Research), the nation’s No. 2 bank, has notified 60,000 customers of the problem. Wachovia (Research) has notified 48,000 customers.
Customer account numbers and balances were allegedly sold to Lembo, who then sold the information to collection agencies, the Hackensack police department said in a statement.
Wachovia customers whose account information was stolen have received complimentary one-year credit monitoring service and each account will also be monitored by the bank, a Wachovia spokesman told CNN, adding that two former Wachovia employees have been charged in the case.
Bank of America spokeswoman Alexandra Liftman said the bank was notifying customers affected, but added there was no evidence of account fraud or identity theft. Customers affected would be offered free credit monitoring, she said, adding Bank of America is cooperating with law enforcement officials and conducting its own internal investigation.
One associate who was named by police is “no longer with the bank,” Liftman said.
Charges filed
Last month, New Jersey police arrested and charged nine people, including seven bank employees and Lembo, who operated DRL Associates, the bogus collection agency, Hackensack police said. A tenth person was subsequently arrested. DRL did not qualify as a collection or detective agency, the police said.
“Based on forensic examination of Lembo’s computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks,” the police statement said. “That information was then sold to his clients, which included more than 40 law firms and collection agencies.”
Lomia told CNN that Lembo paid $10 a name, convincing the bank employees that they wouldn’t get caught. He said the department has not yet classified this as an identity theft case but is watching it closely.
In addition to confidential bank information, DRL also obtained employment information from the manager of the New Jersey Department of Labor in Jersey City, Hackensack police said.
Police estimate that Lembo made several million dollars over the past four years; and that his informants each made tens of thousands of dollars in the scheme.
The department said it is continuing its investigation, and the Department of the Treasury and the Internal Revenue Service also are involved.
The FBI in Newark told CNN it is not handling the case, but that the Secret Service may become involved.
Lomia said the law firms that allegedly sought Lembo’s services are part of “phase two” of the investigation.
Other banks affected by the theft ring are Commerce Bancorp (Research), based in Cherry Hill, N.J., and PNC Financial Services Group Inc. (Research) PNC said it is cooperating with Hackensack police.