18 Cases of Insider Bank Threats
19 Cases of Insider Bank Threats
It is reported that at least 60% of cyber-attacks in financial institutions are attributed to privileged users, third-party partners, or malicious employees. This occasionally happens through employee negligence, or when an employee has malicious intentions, leading them to commit deliberate sabotages. The threats have become hard to control since these types of threat factors normally use authorized information and are considered safe when accessing the organizational network. Banks and other financial institutions are considered one of the top targets and have lead to the loss of billions of customers’ records over the past few years. According to a 2018 Cost of Insider Threats: Global Organizations report, “a malicious insider threat can cost an organization $2.8M per year, or an average of $604,092 per incident.”
Verizon’s breakdown was that 77% of internal breaches were deemed to be by employees, 11% by external factors only, 3% were from partners, and 8% involved in some kind of internal-external collusion which makes them hard to categorize. An annual DBIR report states that since 2010, internal attackers account for almost one in five successful breaches.
A Gartner study on criminal insider threats found that 62% of insiders with malicious intent are categorized as people that are looking for a supplemental income. Important to note that seniority had little almost no effect in this category. Just 14% of persistently malicious insiders were in a leadership role and approximately 1/3 had sensitive data access.
I did not include third-party provider (TTP) insider breaches impacted directly banks or other types of breaches such as lost backup storages, mailing errors, skimmers, and printing errors, although those types of breaches have occurred.
This post looks into the aftermath of insider threats across different banking institutions around the world. Please take note that the content and any of the opinions expressed are solely my own, and do not express the views or opinions of my employer.
JP Morgan Chase
- The now-former banker at JP Morgan Chase, Peter Persaud, as reported Persaud sold personal identifying information (PII) and other account information, including the personal identification numbers (PIN) of bank customers. Persaud was first exposed in 2014 when he sold account information to a confidential informant for a sum of $2,500. Later, Persaud reportedly offered four additional accounts for approximately $180,000. Court documents showed that Persaud told the undercover officer that he needed to “take it easy”, otherwise the bank may realize he had accessed all of the bank accounts that “got hit”.
“Persaud abused his position by victimizing unsuspecting customers, and will now pay the penalty for his fraudulent conduct,” -Richard Donoghue, United States Attorney for the Eastern District of New York
- Another former JP Morgan Chase investment advisor, Michael Oppenheim, was accused in a civil complaint of stealing more than $20M from the bank’s clients between 2011 and 2015. Oppenheim claimed to have invested their money in low-risk municipal bonds and sent doctored account statements reportedly showing earned profits on those investments. Throughout the years, Oppenheim took steps to conceal his fraud. For instance, when a customer asked for a statement reflecting his municipal bond holdings, he created false account statements. Additionally, there were times Oppenheim copied the customers’ details onto an account statement reflecting the holdings of another customer, then provided the fabricated statement to convince the customer that he had purchased the municipal bonds as promised. In another instance, Oppenheim transferred money from one customer to another in order to replenish the funds he had previously stolen.
“We allege that Oppenheim promised his customers that he would invest their money in safe and secure investments, but he seized their funds and aggressively played the stock market in his own accounts,” said Amelia A. Cottrell, Associate Director of the SEC’s New York Regional Office.
- In a different case of an insider at JP Morgan Chase, it was reported that for over two years JP Morgan Chase bankers could access and issue ATM cards for the 15 accounts of elderly and deceased of the bank’s clients. Dion Allison was accused of stealing $400,000 from accounts by searching for customers with high, stagnant balances and Social Security deposits. With the help of two of the banker’s friends, the funds were withdrawn by using issued ATMs around NYC.
“Since I was 16, I worked in the financial field, I did internships and everything, now my reputation is tarnished because of this,” — Jonathan Francis, An ex-banker who was wrongfully implicated in this case.
- It was reported that JPMorgan Chase in 2013 fired an executive in charge of forensics investigations, Peter Cavicchia, for snooping on top executives at the company. Cavicchia, a former U.S. Secret Service agent, led a team of 120 engineers from Palantir to oversee the use of data analytics to spot signs of misbehavior among JPMorgan employees.
In 2015, Morgan Stanley, one of the largest financial service companies in the world, was forced to pay a $1M penalty for failing to protect their customers’ records. This was after the company lost $730,000 in customer records to hackers. It was reported in a post published on Pastebin where six million account records of Morgan Stanley clients were being offered. In the following weeks, a new post was shared on a website pointing to the Speedcoin platform; It featured a teaser of real records from 900 different accounts and provided a link for people interested in purchasing more. This activity was traced to Galen Marsh, an individual that was employed in the private wealth management division of Morgan Stanley. Marsh was originally a Customer Service Associate and then became a Financial Advisor in the Manhattan office where he provided financial and investment services to particular private wealth management clients.
It was reported that Marsh conducted a total of approximately 6,000 unauthorized searches in the computer systems, and thereby obtained confidential client information, including names, addresses, telephone numbers, account numbers, fixed-income investment information, and account values, totaling approximately $730,000 from client accounts for about three years. Marsh uploaded the confidential client information to a personal server at his home. Ironically enough, the investigators confirmed that Marsh’s home-server was hacked, the very same server that was used by Marsh to exfiltrate customer data from Morgan Stanley.
“It is probable that the client data was extracted from Mr. Marsh’s home as a result of outside hackers. In fact, based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online.” — Sentencing Memorandum
Qisheng as a senior programmer at the bank, realized withdrawals that were completed close to midnight were not being recorded properly. That meant customers could access cash from ATM machines without the amount of money in their accounts being affected. Qisheng discovered the flaw in the system in 2016 and in November that year he inserted a few scripts in the banking system which he said would allow him to “test” the loophole without triggering an alert. For more than a year Qisheng made cash withdrawals of between $740 to $2,965 from a dummy account the bank used to test its systems. By January 2018 with about 1,358 withdrawals, Qisheng amassed over a $1M. The irregular activity in the dummy account eventually detected and verified during a manual check by the bank.
Prior to Qisheng arrest, he decided to return all of the money he withdrew to the bank. Qisheng explained to the bank that the repeated withdrawals had all been part of him testing the system and that to tell the bank he was doing this wouldn’t have been worth the effort. Interesting to note that Huaxia Bank reportedly asked the police to drop the case, accepting Qisheng’s explanation that he was merely testing the bank’s security and was holding onto the money for the bank to reclaim. The courts didn’t “buy” the argument, considering that Qisheng moved the money to his personal bank account, instead of the bank’s dummy account and investing in the stock market.
Zurich court convicted a former employee Eckart Seith of Bank J. Safra Sarasin AG of corporate espionage for the leaking of internal documents to a lawyer related to a controversial tax deal. Interesting to mention that Seith described himself as a whistleblower in this case.
“The Zurich District Court condemns three persons, accused of transferring a bank customer list to a German lawyer, for multiple violations of the banking law,”
“The first conviction at Cum-Ex concerns a fraudster instead of a person who has contributed to the investigation of the billion dollar raid Cum-Ex.”
During a project carried out by Risk Center of TBB regarding information security, suspicious inquiries rendered by an ING Bank employee were found. During an investigation in ING Bank in October 2018, the bank concluded that the breach caused by disabling the authorization system. This resulted in compromising IDs and names of 19,055 individuals and credit reports, address information and phone number of 1,172 sole proprietorships and partnership companies.
- In 2011 a federal grand jury has indicted a former TD Bank employee Jennell Digby a call center representative for her alleged role in a scheme involving fraudulent withdrawals totaling nearly $70K from TD bank branches. The indictment alleges that a co-conspirator Kashon Adade provided Social Security numbers to Digby in exchange for account information retrieved by Digby as she had the access to TD Bank’s client information. As part of the bank fraud scheme, Adade recruited individuals to open bank accounts and turn over the account documents and debit cards to them. Adade then deposited or directed others to deposit, checks drawn on closed accounts or accounts with insufficient funds into the newly opened accounts, and then withdrew money from the accounts or conducted check card transactions before the bank determined that the checks were unfunded.
- In a different case, eight people including a former bank teller were charged with participating in an identity theft ring that used account information stolen from customers TD Bank. The indictment charges them in connection with 21 separate thefts across New Jersey between April and July 2013 that totaled $155,500 and involved the use of eight stolen identities. The thefts ranged in amount from $3,500 to $9,000. The individuals who posed as account holders were provided with forged New York driver’s licenses and withdrawal slips that were already completed so that they could conduct the fraudulent transactions. The fake account holders allegedly included drug addicts and homeless persons who were sometimes provided with clothing to wear in the banks. It was reported that Bronthie Charles stole the identities of TD Bank customers while working for the bank in New York from January 2012 through May 2013, and provided the information to Divine Garcia, who allegedly was the leader of the ring.
‘The London Whale’ scandal resulted in over $6 billion of trading losses to JPMorgan Chase. The claims included wire fraud, falsification of books and records, false filings with the Securities and Exchange Commission, and conspiracy to commit all of those crimes. The individuals’ intent remains unclear, while the charges two of former derivatives traders were dropped. The Department of Justice stated, “no longer believes that it can rely on the testimony” of Bruno Iksil.
“The top U.S. securities regulator on Friday dropped its civil lawsuit accusing two former JPMorgan Chase & Co (JPM.N) traders of trying to hide some of the bank’s $6.2 billion of losses tied to the 2012 ‘London Whale’ scandal.”
Wells Fargo reported insider fraud by employees who created almost 2M accounts for their clients without their knowledge or consent. Wells Fargo’s clients took notice when they started receiving charges for fees they did not anticipate, together with credit or debit cards that they did not expect. Initially, the blame was placed on an individual Wells Fargo branch workers and managers. The blame later shifted top-down to the opening of many accounts for clients through cross-selling. This insider fraud was engineered by particular managers of the bank in collaboration with other bank employees. By opening these accounts, Fargo employees were able to access credits illegally. The fraud led to the CFPB fining the bank an estimated $100M and a total of nearly $3 billion when counting the remainder of the losses and fines. The illegal activity has also made the bank face other civil and criminal lawsuits, as well as losing the trust of their customers
“the widespread illegal practice of secretly opening unauthorized deposit and credit card accounts.” — Consumer Financial Protection Bureau
In 2016, Bangladesh Bank underwent a massive cyber attack, where more than $81M disappeared without a trace. The attack, originally targeting $951M, was conducted through a series of transactions and were terminated at a point when $850M was yet to be transferred through the SWIFT network. Thirty transactions amounting to $850M were blocked by the Federal Reserve Bank of New York after suspicions arose due to a spelling mistake made by the perpetrators of the crime. Nearly $101M were transferred from Bangladesh Bank’s account at the New York Fed to Philippines-based Rizal Commercial Banking Corp under fake names, which later disappeared into the casino industry; Only $20M out of $101M that was originally traced to Sri Lanka was successfully recovered from Perera’s Shalika Foundation bank account. Also, it is important to mention that the Philippines’ Anti-Money Laundering Council has accused seven bank officials of money-laundering in a complaint filed at the country’s Justice Department. Good to note that there was no definite published evidence that these breaches caused by insiders.
“ The malware was customized for Bangladesh Bank’s systems, Alam said, adding someone must have provided the hackers with technical details about the central bank’s computer network.” — Bangladesh police deputy inspector general, Mohammad Shah Alam
“We’re pretty sure it was the work of Lazarus group.” and “We don’t do attribution, we publish only the facts.” -Vitaly Kamluk researcher at the Kaspersky Lab
Punjab National Bank in India parted with almost $43M after Gokulnath Shetty, a bank employee, used unauthorized access to a susceptible password in the SWIFT interbank transaction system. The fraudulent act was done to release funds in a highly complex transactional chain schemed up by Nirav Modi. It was reported that the bank officials issued a series of fraudulent “Letters of Undertaking” and sent them to overseas banks, then to a group of Indian jewelry companies.
A Letter Of Undertaking, or LOU, is a document issued by a bank to a person or a firm. This LOU is generally used for international transactions and is issued by keeping in mind the credit history of the party concerned. The party can then avail Buyer’s Credit against this LOU from a foreign bank.
In February 2018, Suntrust Bank became aware of an attempted data breach by a now-former employee that downloaded client information which triggered an internal investigation that led to its discovery. It was reported that the compromised 1.5M client information data included clients names, addresses, phone numbers, and banking balances; However, the stolen data did not include information, such as social security numbers, account numbers, PINs, and passwords. To combat the increasing concern of identity theft and fraud, Suntrust offered its clients services like credit monitoring, dark web monitoring, identity “restoration assistance”, and $1M identity theft insurance. In addition, the bank heightened its existing security protocols, like ongoing monitoring of accounts, FICO score program, alerts, tools, and zero-liability fraud protection.
Later, Morgan & Morgan has filed a proposed class-action lawsuit in which they seek damages for the theft of the plaintiffs’ personal and financial information, as well as imminent and impending injury as a result of identity theft and potential fraud, improper disclosure of personally identifiable information, inadequate notification of the data breach, and loss of privacy.
“The lawsuit, which we filed on behalf of our clients and the 1.5 million consumers affected by the data breach, seeks to hold SunTrust accountable from its acknowledged failure to keep safe the information entrusted to it” — Morgan & Morgan’ lawyer John Yanchunis
- A former Citigroup VP Gary Foster was sentenced to 97 months in prison for embezzling more than $22M from the bank. Foster admitted that he transferred funds from various Citigroup to Citigroup’s cash account and then to his private account at JPMorgan Chase. It was reported that Foster was able to evade detection for years by making false accounting entries that made it seem like the wire transfers were in support of existing Citigroup contracts when they were actually being transferred to his account, according to the complaint. The fraud was uncovered during an internal audit of Citigroup’s treasury department.
“I directed funds to be wired into my personal account at JPMorgan.” — Gary Foster
- In a different case, Lennon Ray Brown admitted causing damage to a protected Citibank computer, was sentenced to 21 months in federal prison and ordered to pay $77,200 in restitution. Brown knowingly transmitted a code and command to 10 core Citibank Global Control Center routers, and by transmitting that code, erased the running configuration files in nine of the routers, resulting in a loss of connectivity to approximately 90% of all Citibank networks across North America. Right after Brown scanned his employee identification badge to exit the Citibank Regents Campus.
“They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team. Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.” — Text that Brown sent to a coworker shortly after he shut down Citibank’s system
In July 2007, James Kevin Real, a computer programmer for Compass Bank, was indicted on six counts of financial institution fraud, four counts of access device fraud, two counts of aggravated identity theft. Real had stolen a USB drive with 1M customer records to commit debit-card fraud. Compass Bank claimed that the customer records contained limited information. Together with Laray Byrd who bought a magnetic strip encoder and software to encode blank cards the information onto counterfeit cards. With 250 counterfeit debit cards, and his accomplice were able to withdraw money from ATMs of 45 different bank accounts typically in amounts not exceeding $500. It was reported also that Real would disguise when making the ATM withdrawals.
It was reported that Bank of America lost at least $10M as a result of an insider threat that sold “about 300” customer data to cyber-criminals.
Note: This is the only information I could find during my research on the Bank of America case, if you have additional public information, I would welcome you sharing it.
“Involved, a now-former associate, who provided customer information to people outside the bank, who then used the information to commit fraud against our customers,” — Bank of America spokeswoman, Colleen Haggerty, said in an email message.
Conclusion — Do the right thing.
- I would suggest reading Common Sense Guide to Mitigating Insider Threats that provides the current recommendations of the CERT Division. The guide describes 21 practices that organizations should implement to prevent and detect insider threats. The appendices provide a list of information security best practices, a mapping of the guide’s practices to established security standards, a breakdown of the practices by organizational group, and checklists of activities for each practice.
- Explore the study focuses on the threat to information security posed by insiders.
- If you are still not sure what that may be, please invite me for a friendly coffee to discuss it.
18 Cases of Insider Bank Threats
InfoSec Write-ups – Medium