Add Bank of America to the list of large banks whose customers have fallen victim to insider threats.
As you’re probably already aware, last week the LA Times reported that a BofA employee leaked hundreds of customers’ confidential account information to scammers, resulting in more than $10 million in losses. A BofA spokesperson said “about 300” customer accounts were compromised in California and other Western states. And surprise – this recurring theft had been continuing for more than a year, according to the same article.
Here’s my perspective. As a developer of privileged identity management software we’ve found that large banks have too little interest in implementing the types of security upgrades that can help protect against these types of insider threats. This is the dirty secret of many large financial institutions: they have far too few controls to protect customers against malicious and negligent insiders. As one executive told me, “If an insider violates our security policy we’ll fire him. That’s our control.” I suspect that those hundreds of BofA customers who are now piecing their finances back together after this breach are taking little solace in this.
The good news is that in smaller, more agile financial institutions such as credit unions we’ve seen a much faster adoption of security technology to minimize internal threats and provide real accountability. So what’s deterring larger financial institutions form doing the same? I believe that it’s a combination of old systems, insular big-company cultures, and external compliance auditors with too little training and time. These factors have created an environment where there is little incentive to implement new security technologies and processes inside the largest banks. These institutions’ top management might see data breaches as an acceptable risk, but for the customers whose finances have been compromised this boardroom calculus has got to hurt.
You may be surprised by how rare it is for insider breaches at large organizations to be publicly revealed, so perhaps BofA will now implement proper controls. Generally in these cases though, nothing changes until federal regulators start to ask bank officials how many times similar incidents have occurred in the past, why the problem has not been fixed and, most importantly, when they plan to fix it.
As I’ve already stated, the technology and controls currently exist to stop this problem, but until regulators step in and force large financial institutions to clean up their act, customers at large banks will continue to be victims of inadequate security.