Forbes: Is Your Bank Information Secure?

Countrywide Financial may have become a poster child for U.S. financial institutions ruined by poisonous subprime loans—but junk assets, it turns out, weren't the only element of Countrywide's inner workings that were rotten.

So, allegedly, was one senior financial analyst in the company's subprime mortgage division. According to the reports of FBI officials who arrested him in August, 36-year-old Rene Rebollo spent his Sunday nights last summer copying a total of more than 2 million of Countrywide's customer records to a flash drive and selling the data to identity thieves.

Rebollo's case isn't as unique as banks would like to believe. If the wounded financial industry and its confused customers weren't suffering enough, add another crisis to the list: Cybersecurity and privacy analysts say American banks and financial services organizations are facing a major spike in data breaches, many of which are caused by company insiders siphoning sensitive data for profit.

According to numbers released Nov. 18 by the data breach tracking organization Identity Theft Resource Center, financial institutions were responsible for more than half the 33 million personal records known to be lost in all reported data breaches so far this year, compared with just 7% of known lost records in 2007. And while the total records lost in a breach is often a fuzzy number, given that nearly half of breaches involve an undetermined count of individuals' data, the ITRC also documents more than double last year's number of bank breaches of all sizes.

Until now, the financial industry has accounted for a surprisingly small slice of the total number of data breaches. Just 7% of 2007's breaches occurred at banks, while other businesses, government and universities each accounted for about 25% of data loss incidents. But in 2008, thanks in part to major breaches at Countrywide, BNY Mellon, and GE Money, banking's proportion of data leak incidents has climbed to 11%.

Changes in those breach statistics may have been partly driven by new laws in states including Oregon, Wyoming, Massachusetts and Georgia that require all companies to disclose data loss incidents, says the ITRC Director of Operations Rex Davis. But he also points to thousands of laid-off or disgruntled bank employees, many of whom control troves of bank codes and social security numbers. "They have access to the data, and they know how to use it," says Davis. "Desperation is never a good thing."

The ITRC's numbers seem to back up that notion of insider threat. Twenty-four percent of all financial institutions' data breaches this year were caused by insider theft of sensitive information, while 16% of other businesses' breaches and 20% of government incidents were attributable to employees or former employees.

In March, the Department of Justice alleged that James Kevin Real had used his job as a computer programmer to steal about 1 million customers' private data from Compass Bank, an Alabama-based lender that struggled in the first months of the subprime crisis and was acquired in August by a Spanish financial institution.

More recently, Wachovia and Americredit—both of which have taken hits from the financial crisis—have had their own (far smaller) breaches caused by rogue employees.

Plugging those insider leaks isn't easy, says Rachel Kim, an analyst for banking fraud analysis firm Javelin Research. "This is an industry that's very focused on threats from the outside, but they need to start thinking more about threats from within," says Kim. "It's something banks have always struggled with, but it will definitely become a higher risk with all the acquisitions and mergers that have taken place in the past few months."

The link between data spills and identity theft isn't always clear. A report from the Government Accountability Office last year showed that only four out of the 24 largest data breaches that occurred between 2000 and 2005 resulted in real fraud.

But internally stolen data may be more likely to end up in the hands of fraudsters, posits the ITRC's Rex Davis (see "Economic Bust, Cybercrime Boom"). While many accidental spills—often the result of a lost laptop—aren't followed by large numbers of actual fraud incidents, rogue employees are far more likely to use identities they've purposefully stolen, he says.

"We're a long way from being able to coordinate between data breaches in general and identity theft," says Davis. "But insider theft has a very high probability that the data's been pulled for a nefarious deed."