Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over Half a Million Bank Accounts Breached

Posted by CmdrTaco on from the thats-a-whole-lotta-breach dept.

Gone Phishing writes "CNN is reporting that about 676,000 bank accounts in at least four banks (Bank of America, Wachovia, Commerce Bancorp, and PNC Financial Services) have had personal information "illegally sold". Over 60,000 customers have been notified so far."

16 of 450 comments (clear)

  1. Stolen Account Information and Dupes by ari_j · · Score: 5, Funny

    Oftentimes, I'll complain about Slashdot dupes. Why can't this be one of those times?

    1. Re:Stolen Account Information and Dupes by NoTalentAssClown · · Score: 5, Insightful

      Great. So far this year I've received a letter from from LexisNexis and Choice Point. When my identity was stolen at the beginning of the year I thought "How could this happen? I have been so careful with my information." Apparently is doesn't matter how careful *I* am when everyone else just seems to be giving it away. Something has to be done to punish these people other than sending me a letter with how to PAY someone to watch my credit and alert me to "changes".

    2. Re:Stolen Account Information and Dupes by badasscat · · Score: 5, Insightful

      as for punishment, sure, that sounds good, but would be nearly impossible to implement in a fair manner as, in this case, lexisnexis was not responsible for the breach in any way, shape, or form. therefore to punish them for a breach not resulting from their actions would be unjust.

      How about punishing them for their inactions? If somebody walked in to a military base and stole a nuclear warhead, would you throw up your hands and say "well, it wasn't the military's fault; they're not the ones who stole it"? Of course it's their freakin' fault! Who's supposed to be guarding this stuff??

      Then of course, there's the issue of why they need to have this info in the first place. Just as you could argue if we didn't have nuclear weapons in the first place then there'd be no reason to worry about them being stolen, so you could argue that Lexis-Nexis - a company most of us have absolutely no contact with - should not have things like our social security numbers (which are for, you know, our individual social security payments, not anything else) to begin with.

      If you are going to take it upon yourself to store my information, then you had damn well better safeguard it. And if you don't, then you should be held liable, and you should be punished severely when data is stolen through your negligence. (And in this case, I define negligence as "any case where your security was lax enough to allow data to be stolen" - or in other words, every single case of a security breach.)

      If a company cannot secure this data to the point where it cannot be stolen, then they have no business holding this data to begin with.

    3. Re:Stolen Account Information and Dupes by Vitriol+Angst · · Score: 5, Interesting

      I can't understand the "Group Think" that is going on. The same people who want to unleash the FBI on kiddies who download mp3's seem to never hold businesses accountable for anything.

      We are so ripe for authoritarian rule. We want to leave control of our lives to others, and all we expect of security is to punish someone who doesn't cross every t and dot every i when they report on the failures.

      The fact that Wachovia has my money and social security number and can demand many things of me without proof (such as fees and late charges), means that conversely, they should be responsible and compensate me for any damages resulting from their failure to live up to this trust. I think I need to pull my money out this week.

      I thoroughly expect the news service to retract and fire anyone who reported this, but might have gotten the date wrong.

      --
      >>"ad space available -- low rates!!!"
  2. This could get ugly by kcornia · · Score: 5, Insightful

    I'm sure the answer will be higher fees though, so in the long run the banks will be fine.

  3. My account is safe. by mrcrowbar · · Score: 5, Funny

    Fortunately, my account should be safe. I got a email from Bank of America telling me about their problem, and I filled out their form to resecure my account. Such at great company to take care of their customers like that!

    1. Re:My account is safe. by Spectre · · Score: 5, Funny
      Um, are you sure it was the bank that contacted you? Sounds like a SPAM scam to me. . .

      Are you by any chance damaged in the pre-frontal lobe?

      --
      "Flame away, I wear asbestos underwear"
  4. The bigger they are... by __aaclcg7560 · · Score: 5, Interesting

    This is why I switched to a local credit union a few years ago. Seems like the bigger the bank, the bigger the security breach. Worse... they nickel-and-dime you on everything else.

    1. Re:The bigger they are... by Reverend528 · · Score: 5, Insightful

      Seems like the bigger the bank, the bigger the security breach.

      Well, duh. You're certainly not going to see 600,000 peoples accounts stolen from a credit union with only 20,000 customers. That doesn't mean it's any more secure.

      --
      Badass Resumes
  5. Conflict of interest by __aaitqo8496 · · Score: 5, Interesting

    Customer account numbers and balances were allegedly sold to a man who then sold the information to collection agencies, the Hackensack police department said in a statement. Reuters reports that the information has not been found to have been used in any identity theft schemes.

    /snip/

    The case has led to criminal charges against nine people, including seven bank employees and alleged ring leader Orazio Lembo, who operated DRL Associates, a company that advertised as a skip-and-trace collection agency.

    Hmmm... working for a bank and a "collection agency". Sounds like a conflict of interest banks might want to look out for and possibly stipulate that working for a collection agency is not permitted while working for a financial institution.

  6. Hackensack? by screwballicus · · Score: 5, Funny

    The data-theft ring may have perpetrated the nation's largest ever banking security breach, a Hackensack, N.J., police statement quoted a Treasury Department representative as saying.

    I only hope that Hackensack don't lack the knack to track this crack attack.

  7. Wow, your country must be great. by bigtallmofo · · Score: 5, Insightful

    Based on forensic examination of Lembo's computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks," the police statement said.

    It doesn't matter what laws you enact. If you RTFA, you'll see that this was an inside job done by corrupt upper-level employees. Setting aside security-Utopia for a second, at some point you have to trust your own employees, especially "upper level" ones. When that trust turns out to be misplaced, there's not a lot one can do to prevent malfeasance.

    --
    I'm a big tall mofo.
  8. whew by Himring · · Score: 5, Funny

    Luckily, I don't use banks. I keep all my money in a thermos under a combination lock. I then tether the combination to a string in a mylor bag and swallow it tying it off on a rigged bicuspid that will send a charge to the bag signaling an incendiary device which will destroy the note unless the tooth is first properly removed. But the bicuspid is fake -- threaded backwards with a one-way screw head. Of course, an anal probe might easily by-pass the oral security, but I recently had my sphincter sewn shut and I only consume nutrient drinks which, by chance, I keep in the thermos....

    --
    "All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
  9. Re:What will it take? by stlhawkeye · · Score: 5, Insightful
    Oops, I forgot Bush ruined class action lawsuits by forcing them to be in federal courts, which are more friendly to businesses.

    I don't like Bush's policies either, but let's not just make things up, ok? First, not all class action suits are "forced" to federal court, only very large suits.

    Second, they're moved to federal court not because federal courts are more business-friendly, but because of procedural differences in state court vs federal court. State courts tend to be more relaxed in due process procedures, and award ridiculous damages that are confiscated by private law firms. The ease with which a class action suit can be won in a small jurisdiction for enormous rewards has caused capitalistic law firms to seek out groups of marginally damaged people and organize them for a suit. This has caused a tenfold increase in class action lawsuits over the last decade.

    Meanwhile, plaintiffs from multiple states with complaints against the same defendant could not organize on a federal level and file in federal court, due to procedural restrictions that prevented class action suits from being moved out of state. Thus you had the dangerous situation of one state's courts determining a case that would have national prescedent ramifications, and this seriously violates the principles of federalism. For a guy who bitched in his post about removing checks and balances, you're also complaining about legislation that was intended to prevent one state from determining national policy via state courts that are cherry-picked by millionaire attorneys.

    The legislation in question removed some of the roadblocks to moving large cases with multistate plaintiffs to federal court by granting original jurisdiction of a case to the District Courts instead of the state courts for large suits in which there are multistate plaintiffs.

    You then characaterize all this in your tired anti-Bush ranting as some pro-business move that Bush enacted for his cronies. First, that's not how a bill becomes a law, and you ought to know that by now. Presidents do not sponsor legislation in committee, nor vote on them in congress. They sign them.

    There are a shitload of legitimate things to criticize President Bush about, but I'm tired of this hate-filled ranting that's misinformed. It's really hard to push for social evolution and progress when most of the people on your side are ignorant and more concerned with politics than anything else.

    Oops, I forgot our legislature is too busy removing checks and balances (Senate) and debating corrupt members (House) to get anything else done.

    I'm not sure what you're talking about here, so I can't really respond to you. The only major battle I know of in the Senate is over appelate court nominations, and I haven't read anything yet about changes to how nominations are handled.

    --
    "I have never won a debate with an ignorant person." -Ali ibn Abi Talib
  10. Re:It's not perfect, it can be made more difficult by Anonymous Coward · · Score: 5, Interesting

    Nope. It shouldn't be that hard to have every employee's access to every account logged.

    I worked at a large financial institution (life insurance, in a branch of a bank. Hell what I'm saying is 100% accurate so let me say that I'm talking about RBC Insurance - Life, whose offices are in Mississauga, Ontario) a while back, and had full access to hundreds of thousands of customer's data, including specially separated "high net worth" clients. I looked around and realized that on any of the developer PCs (where the user was admin. Actually these morons set DOMAIN\Users as admins, which meant that there was no PC to PC security and any hack could occur by co-opting a coworker) a USB key or PDA could siphon off everything.

    Realizes how insanely loose the controls were, I proposed initiative after initiative to tighten up the system, and to add some sort of read logging, but I learned firsthand that financial institutions, presuming this one was par for the course, are 95% politics, and 5% actual concern about customers. The only way any sort of checks and balances were going to be implemented is if it properly gave a handjob to every useless mid-level manager planning their next Machiavellian maneuver (and successfully ensured that I didn't look good out of it, as a shop like RBC is configured in such a way that only the mediocre persist. If you look good, the next time a management churn occurs some clueless twit will purge the clueful). It really was eye opening, and the status quo was maintained and everyone acted like nothing was wrong.

    Of course you really have to work in a place like that to fully appreciate how terribly incompetent such organizations are, and to maek it more fun they churn their management around with no logic or thought. Remarkable stuff.

  11. value, protection and economics by slew · · Score: 5, Interesting

    The way I see it, many of the companies that collect personal information, (banks, radioshack, etc) see little or no value in the information they are protecting, it's only their value of reselling it (e.g., like a pawn shop). As a old tired example, why does radioshack need a phone number when you buy a battery?

    IMHO, the goal should be to make economics work for us. The cost of them collecting and securing it should balance the value the get from selling it. Then if the expected return on investment is zero, why would they even bother to collect it? It's just because right now it costs them little to collect it and they can resell it for more is why they do it right now.

    One way to get this to assign big penalties to losing control of the info so that the expected cost is high. Another way is to just bill them up front (e.g., tax companies for collecting the information). I'm guessing that in the end, some combination of things would be optimal.

    Another thing to look at is to licence people (not companies) to handle information. For example, it takes a registered notary public (not a flunky that the bank assigns) to witness signatures on major business transactions. Why can a company assign some skript kitty to process social security numbers? Why should a bank VP have any access at all? Getting notary public certification is trivial for anyone with a 1/2 a brain, but they make it very clear that your butt is on the line, not the company's butt, so most of them take it pretty seriously. Something about a few hours studying for a test and a name on a license and some personal responsibility makes most folks take their jobs less like a joke (although you occasionally get the rougue CPA or notary, it isn't very common)... Maybe it's time for a certified public information collection certificate or something like that...

    Anyhow, that's just food for thought...