A former employee of Citi’s ABN Amro Mortgage group leaked the personal information, including Social Security numbers, of more than 5,000 customers via a peer-to-peer (p2p) file-sharing network.
The former employee reportedly compromised three spreadsheets containing more than 5,000 Social Security numbers.
Data-leak prevention vendor Tiversa traced the breach back to a Florida computer with BearShare software installed, according to an Associated Press report. The data was leaked from the former employee’s home computer.
Tiversa Chief Operating Officer Christopher Gormley told SCMagazineUS.com today that his company investigated the incident after being called by a Wall Street Journal reporter, and found data — including names, Social Security numbers, amounts of loans and types of banks where loans had originated — had been leaked.
Citi spokesman Mark Rodgers referred questions today to a company statement saying that the financial services giant has taken actions to rectify the breach.
“Protecting customer information remains a priority at Citi, and we remain fully committed to physical, electronic and procedural safeguards to protect personal information,” the company said in a statement. “The customer information involved has been retrieved from the source computer. We are taking appropriate steps to identify, notify and protect the customers involved, including offering complimentary credit monitoring services.”
A Seattle man was arrested earlier this month in what is believed to be the first case against someone using p2p programs for identity theft.
Gregory Thomas Kopiloff, 35, stands accused of using Lime Wire, Soulseek and other file-sharing applications to steal personal and financial information from victims’ PCs. He allegedly used stolen credit card information to go on an online shopping spree, according to a federal indictment filed in U.S. District Court in Seattle.
TD Ameritrade revealed this month that the names and contact information of 6.3 million customers were exposed after a company database was infiltrated. The Omaha, Neb.-based brokerage said it discovered the breach after customers told the company they received spam offering unsolicited investment advice.
Saying that p2p networks can enable access to “basically a treasure chest of personal information,” Avivah Litan, Gartner vice president and distinguished analyst, told SCMagazineUS.com today that financial institutions should use data-monitoring solutions to prevent breaches.
“There are definitely some technology solutions out there that enable banks to monitor all of the data that moves through the network. So Citi just didn’t have the sense of urgency that they should have had in putting those systems in,” she said. “In this day and age, there aren’t a lot of excuses for this sort of breach.”
Gordon Rapkin, president and CEO of Protegrity, told SCMagazineUS.com today that he is surprised the data wasn’t encrypted.
“For one, what was the data doing on a computer and why wasn’t it protected? And once you get past all those types of questions, the process question here is, what did Citi do to educate their users to the dangers?” he said. “This looks like [a case of] an uneducated employee who didn’t realize the risks of associating a peer-to-peer network with sensitive corporate data.”
Steve Fossen, manager of threat research at Fortinet, told SCMagazineUS.com today that unmonitored use of file-sharing applications can open up networks to similar threats.
“Installing any sharing application opens up a large hole in your network, even stuff like messaging clients,” he said. “It’s a policy issue. In many cases, [administrators] can install firewalls and stop networks traffic when it’s about to go out.”