ABN Amro suffers p2p data breach

Share this article:
A former employee of Citi's ABN Amro Mortgage group leaked the personal information, including Social Security numbers, of more than 5,000 customers via a peer-to-peer (p2p) file-sharing network.

The former employee reportedly compromised three spreadsheets containing more than 5,000 Social Security numbers.

Data-leak prevention vendor Tiversa traced the breach back to a Florida computer with BearShare software installed, according to an Associated Press report. The data was leaked from the former employee's home computer.

Tiversa Chief Operating Officer Christopher Gormley told SCMagazineUS.com today that his company investigated the incident after being called by a Wall Street Journal reporter, and found data — including names, Social Security numbers, amounts of loans and types of banks where loans had originated — had been leaked.

Citi spokesman Mark Rodgers referred questions today to a company statement saying that the financial services giant has taken actions to rectify the breach.

“Protecting customer information remains a priority at Citi, and we remain fully committed to physical, electronic and procedural safeguards to protect personal information,” the company said in a statement. “The customer information involved has been retrieved from the source computer. We are taking appropriate steps to identify, notify and protect the customers involved, including offering complimentary credit monitoring services.”

A Seattle man was arrested earlier this month in what is believed to be the first case against someone using p2p programs for identity theft.

Gregory Thomas Kopiloff, 35, stands accused of using Lime Wire, Soulseek and other file-sharing applications to steal personal and financial information from victims' PCs. He allegedly used stolen credit card information to go on an online shopping spree, according to a federal indictment filed in U.S. District Court in Seattle.

TD Ameritrade revealed this month that the names and contact information of 6.3 million customers were exposed after a company database was infiltrated. The Omaha, Neb.-based brokerage said it discovered the breach after customers told the company they received spam offering unsolicited investment advice.

Saying that p2p networks can enable access to “basically a treasure chest of personal information,” Avivah Litan, Gartner vice president and distinguished analyst, told SCMagazineUS.com today that financial institutions should use data-monitoring solutions to prevent breaches.

“There are definitely some technology solutions out there that enable banks to monitor all of the data that moves through the network. So Citi just didn't have the sense of urgency that they should have had in putting those systems in,” she said. “In this day and age, there aren't a lot of excuses for this sort of breach.”

Gordon Rapkin, president and CEO of Protegrity, told SCMagazineUS.com today that he is surprised the data wasn't encrypted.

“For one, what was the data doing on a computer and why wasn't it protected? And once you get past all those types of questions, the process question here is, what did Citi do to educate their users to the dangers?” he said. “This looks like [a case of] an uneducated employee who didn't realize the risks of associating a peer-to-peer network with sensitive corporate data.”

Steve Fossen, manager of threat research at Fortinet, told SCMagazineUS.com today that unmonitored use of file-sharing applications can open up networks to similar threats.

“Installing any sharing application opens up a large hole in your network, even stuff like messaging clients,” he said. “It's a policy issue. In many cases, [administrators] can install firewalls and stop networks traffic when it's about to go out.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.