Slashdot Mirror
Over Half a Million Bank Accounts Breached
Gone Phishing writes "CNN is reporting that about 676,000 bank accounts in at least four banks (Bank of America, Wachovia, Commerce Bancorp, and PNC Financial Services) have had personal information "illegally sold". Over 60,000 customers have been notified so far."
I'm sure the answer will be higher fees though, so in the long run the banks will be fine.
So, the people at the banks will face charges, as will the Lembo, the "mastermind".
But, what about the 40 collection agencies and law firms? Will they face civil charges? Criminal charges? Both? Surely they knew they were up to no good, and they were the ones funding the information theft in the first place -- all so that they could illegally harass debtors.
Will the Feds follow the money?
Support a few technologists in Washington.
If an individual or group intentionally leaked or sold this information it is most certainly a crime. Laws are a punishment, not a absolute way to prevent crimes. If the perpetrator is convinced they can get away with this and profit from it, then they are not going to be worried about the fine print of the numerous laws they are breaking.
Based on forensic examination of Lembo's computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks," the police statement said.
It doesn't matter what laws you enact. If you RTFA, you'll see that this was an inside job done by corrupt upper-level employees. Setting aside security-Utopia for a second, at some point you have to trust your own employees, especially "upper level" ones. When that trust turns out to be misplaced, there's not a lot one can do to prevent malfeasance.
I'm a big tall mofo.
Great. So far this year I've received a letter from from LexisNexis and Choice Point. When my identity was stolen at the beginning of the year I thought "How could this happen? I have been so careful with my information." Apparently is doesn't matter how careful *I* am when everyone else just seems to be giving it away. Something has to be done to punish these people other than sending me a letter with how to PAY someone to watch my credit and alert me to "changes".
This is similar to the Choicepoint breach where account information was sold to an illegitimate company posing as a real customer. The main difference here is that there were "inside guys" who knew the selling of the data was to a bogus firm. What I find most interesting is that the main clients that the perpetrator (Orazio Lembo) sold to were.. wait for it... law firms and collection agencies! Talk about a vicious hive of scum and villiany.
I say it will only get worse because the Sarbanes-Oxley Act is coming into effect which requires companies to put into place access controls to monitor/audit who has access to what information (among other things). The SOX, in conjunction with the Gramm-Leach-Bliley Act are forcing corporations to get their financial house in order in such a way that this type of malfeasance is getting much harder to hide. Expect to see more of the same for quite some time.
While I think it's nice that these laws are having their desired effect I still envy those wacky europeans and their data protection laws.
Amoeba
Do not taunt Happy-Fun Ball
I don't like Bush's policies either, but let's not just make things up, ok? First, not all class action suits are "forced" to federal court, only very large suits.
Second, they're moved to federal court not because federal courts are more business-friendly, but because of procedural differences in state court vs federal court. State courts tend to be more relaxed in due process procedures, and award ridiculous damages that are confiscated by private law firms. The ease with which a class action suit can be won in a small jurisdiction for enormous rewards has caused capitalistic law firms to seek out groups of marginally damaged people and organize them for a suit. This has caused a tenfold increase in class action lawsuits over the last decade.
Meanwhile, plaintiffs from multiple states with complaints against the same defendant could not organize on a federal level and file in federal court, due to procedural restrictions that prevented class action suits from being moved out of state. Thus you had the dangerous situation of one state's courts determining a case that would have national prescedent ramifications, and this seriously violates the principles of federalism. For a guy who bitched in his post about removing checks and balances, you're also complaining about legislation that was intended to prevent one state from determining national policy via state courts that are cherry-picked by millionaire attorneys.
The legislation in question removed some of the roadblocks to moving large cases with multistate plaintiffs to federal court by granting original jurisdiction of a case to the District Courts instead of the state courts for large suits in which there are multistate plaintiffs.
You then characaterize all this in your tired anti-Bush ranting as some pro-business move that Bush enacted for his cronies. First, that's not how a bill becomes a law, and you ought to know that by now. Presidents do not sponsor legislation in committee, nor vote on them in congress. They sign them.
There are a shitload of legitimate things to criticize President Bush about, but I'm tired of this hate-filled ranting that's misinformed. It's really hard to push for social evolution and progress when most of the people on your side are ignorant and more concerned with politics than anything else.
Oops, I forgot our legislature is too busy removing checks and balances (Senate) and debating corrupt members (House) to get anything else done.
I'm not sure what you're talking about here, so I can't really respond to you. The only major battle I know of in the Senate is over appelate court nominations, and I haven't read anything yet about changes to how nominations are handled.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
Seems like the bigger the bank, the bigger the security breach.
Well, duh. You're certainly not going to see 600,000 peoples accounts stolen from a credit union with only 20,000 customers. That doesn't mean it's any more secure.
Badass Resumes
as for punishment, sure, that sounds good, but would be nearly impossible to implement in a fair manner as, in this case, lexisnexis was not responsible for the breach in any way, shape, or form. therefore to punish them for a breach not resulting from their actions would be unjust.
How about punishing them for their inactions? If somebody walked in to a military base and stole a nuclear warhead, would you throw up your hands and say "well, it wasn't the military's fault; they're not the ones who stole it"? Of course it's their freakin' fault! Who's supposed to be guarding this stuff??
Then of course, there's the issue of why they need to have this info in the first place. Just as you could argue if we didn't have nuclear weapons in the first place then there'd be no reason to worry about them being stolen, so you could argue that Lexis-Nexis - a company most of us have absolutely no contact with - should not have things like our social security numbers (which are for, you know, our individual social security payments, not anything else) to begin with.
If you are going to take it upon yourself to store my information, then you had damn well better safeguard it. And if you don't, then you should be held liable, and you should be punished severely when data is stolen through your negligence. (And in this case, I define negligence as "any case where your security was lax enough to allow data to be stolen" - or in other words, every single case of a security breach.)
If a company cannot secure this data to the point where it cannot be stolen, then they have no business holding this data to begin with.
My beef is not with banks... They are generally pretty dilligent about customer data--they've been doing this stuff for a while now. MY beef (and I believe the parent poster's beef) is a company he has never done business with acquiring, storing, and failing to secure his personal information. Certainly, we should punish the identity thieves--and severely. But the reality is that, in the case of ChoicePoint, (whom the parent poster cited as contacting him,) they simply didn't have adequate protections in place to keep somebody from pretending to be a "legitimate" buyer of personal information. (We'll leave for another day the argument that there should be no such thing as a "legitimate" sale of my personal information by anyone but me. If Choicepoint wants to PAY ME to list my personal information for their own potential profit, that is another story, of course.)
Bottom line? If ChoicePoint wasn't in the super-sleazy, ethically dubious game of gathering and selling personal information, the data that was "accidentally sold" to these inappropriate persons would never have been divulged--because they never would have had it in the first place to be ABLE To divulge it.
Who did what now?
Have you ever considered blowing the whistle on their lax security? Really -- contact some media outlets, try to contact large stockholders etc. It's the best thing you could do for the people whose data is held there. You'd be doing a service to society at large.
ERROR 144 - REBOOT ?
It's plain old fraud and the onus should be on the merchants and lenders who fail to verify the identity of the person they are extending credit to.
But no, this is too costly, so they try to put it back on the person who's information is used in the fraud.
It's NOT RIGHT! If someone else borrows money in your name, it's the lenders problem, not yours. Your identity was not stolen. You are still you. The lender is at fault because he failed to exercise due diligence in a climate where fraud is rampant.
Just think about it for a minute. You are NOT the victim of identity theft. You are still you and the other guy screwed some third party. Why should it cost you any money or any time... Instead, the idiots who carelessly or out of greed failed to verify that it was indeed you and not someone else requesting a credit report and credit should pay.
There's a simple solution too.
The credit reporting companies need to stop selling information to anyone other than the person who owns the information. Mainly you if it's your information. You want a loan, you request the information. Hell, if it takes a photo ID and a visit with a rep from the reporting company, then that's what it takes... But it's their problem to solve, NOT yours.