The recent Equifax hack isn't believed to be an inside job, but it may give life to a new rash of insider thefts if fraudsters seek to do more with the data they obtained in the breach.
A Social Security number is valuable, but it is only one element of an identity, and the more data fraudsters have, the more likely they are to succeed at their scheme. Thus, they may turn to bank insiders to get the few shreds of PII they might need after completing a heist like the Equifax breach.
Organized fraud rings have been known to collaborate with crooked employees or have their members apply for jobs in financial institutions to steal customer data, said Shirley Inscoe, a senior analyst with Aite Group.
“Employees can be tempted to share data and other information about policies, procedures and details about fraud-prevention systems,” Inscoe said. “It’s true that many financial institution employees have to have access to a lot of customer information in order to perform their job duties."
While this kind of internal fraud is an ongoing concern, it could ironically get an even lower priority now, given the recent attention paid to data-security risk from external hackers, analysts suggest.
Experts recommend a layered approach to guard core account data, but many organizations fail to apply that same level of protection for other types of files containing sensitive information, putting them at risk for insider fraud and cyberattacks.
Almost half of organizations have at least 1,000 sensitive files open to every employee, according to New York-based Varonis, which sells a tool that generates notifications announcing any activity surrounding files requiring high security.
Examples include hundreds of spreadsheets and PDFs full of sensitive customer and account information that employees at banks and other payment industry players use for reports and analysis, which isn’t subject to the highest level of security, said Brian Vecci, “technology evangelist” at Varonis.
“Organizations generally know how to protect their core account data, but there’s usually a lot of sensitive data included in other files that’s not properly secured that insiders and others could access and exploit,” Vecci said.
Dedham (Mass.) Savings Bank for four years has used Varonis’ systems to track activity surrounding its files with sensitive information, said Jim Hanlon, the bank’s senior vice president and chief technology officer.
“Like a lot of financial services companies, we collect a lot of private information about our customers that’s stored on various systems and platforms—mortgage files, tax returns, credit reports—similar to what Equifax would have,” Hanlon said.
Files containing details about corporations, business-to-business payments and wire transfers are a particular concern for Dedham, he said.
“If anyone is handling files with any kind of encrypted, sensitive or high-risk information, the appropriate manager gets an alert, and it also lets us know if anyone is routing any high volumes of data, which is often a signal of a cyberattack,” Hanlon said.
Little information is available about the degree of data-security risk facing U.S. financial services organizations from insiders. The best policy to protecting data is to cast the widest possible net to spot and react to any unusual patterns that could compromise sensitive information, analysts agree.
“Given the prevalence of threats both inside and outside of the enterprise, being able to determine if there’s suspicious activity surrounding file access or transfers would provide effectively broad protection,” said Al Pascual, senior vice president and research director at Javelin Strategy & Research.