Citigroup has made the news twice in recent week for allowing perfect strangers to walk unaccosted through banks of its data – visitations that caused a total of more than 450,000 customer accounts numbers to be taken or compromised.
Yesterday news broke that Citigroup had been fined $500,000 for negligent and lax security in allowing two insiders to walk off with a total of almost $20 million – in one case over the course of eight years
The fine comes not from the feds, but from the Financial Industry Regulatory Authority (FINRA) – an industry funded organization responsible for making sure U.S.-based securities companies stick to both federal regulations and specific guidelines on security and consumer protection.
The fine has nothing to do with the two recent data breaches, however, even though both were accomplished through heist schemes simplistic enough to have been pulled off by most household pets and which shouldn't even have been possible, let alone possible with so little difficulty.
The fines come in response to a pair of insider scams – one lasting eight years, the other involving almost $19 million – that FINRA said Citi never noticed or investigated, despite red flags that should have alerted it early on to each of them.
In one a Palo Alto, Calif. sales assistant working for Citi subsidiary Smith Barney allegedly skimmed $750,000 from the accounts of 22 customers by falsifying deposit and withdrawal records or making unauthorized trades. FINRA said the employee, Tamara Moon targeted the elderly or other vulnerable customers for more than eight years, completely undetected by Citi, despite conflicting information in account applications and suspicious fund transfers between accounts whose owners had no connection to one another.
Sounds like the kind of thing that might have been tricky to detect, but for how blatantly obvious some of it should have been:
"...In another instance, Moon created an account in the name of a deceased customer even after Citigroup had been notified that the customer was deceased," FINRA investigators reported."Moon then created a fraudulent account in the name of the deceased customer's widow. Moon transferred $10,440 from the deceased customer's fraudulent account to the widow's fraudulent account. A few weeks later, Moon had checks issued for $5,000 and $2,500 from the fraudulent account set up in the widow's name to Moon's personal bank account."
This was Palo Alto, Calif., however, where one can be declared dead and barred from both golf clubs and health spas for looking insufficiently tan or inadequately Botoxed, and inheriting relatives don't dilly dally over financial divisions, if only due to financial pressure from their personal fashion designers.
"Tamara Moon used her knowledge of Citigroup's lax supervisory practices at the branch to take advantage of some of the firm's most vulnerable customers, including the elderly. Citigroup had reason to know what she was doing and could have stopped her," according to Brad Bennett, FINRA EVP and chief of enforcement.
In the other case an insider named Gary Foster, who allegedly took advantage of his job in the company's treasury finance department to shift money from special escrow accounts into Citi's cash account and then, in eight smaller wire transfers, to a personal account outside the bank.
Foster was arrested June 26 by the FBI, as he returned from a business trip to Bangkok.
As flat-out thefts, these two incidents differ from the previous two breaches at Citi, one of which involved penetration by hackers fiddling their way through overly simple URL schemes that allowed them to guess the proper subdirectories and account numbers to hit. The direct take as of a week or so ago was $2.7 million in fraudulent claims against 3,400 accounts and the loss of full or partial information from 360,000 accounts.
The other involved an employee in a Citigroup subsidiary in Japan who printed off data from about 92,000 customer credit-card accounts, then walk out the door with them.
That is actually the new fashion in bank-related insider scams, according to a bank security expert Shirley Inscoe, director of financial services solutions at Memento and a former risk management executive at Wachovia, as quoted in BankInfoSecurity.
A data breach at Bank of America in May involved not theft of cash, but an internal employee who leaked customer names, addresses, Social Security numbers, phone, bank account, driver's license, PIN and account-balance numbers as well as all the other information used to verify a customer's identity – birthdays, family names, email addresses and other information difficult to obtain any other way.
The scam cost more than $10 million in fraudulent spending, and caused a crisis of confidence at the bank.
It also caused a change in the way BofA looks at – and checks for – internal security risks. Even at a bank, not all the theft has to be an employee swiping cash.
Though you wouldn't know it from Citi's example, bank databases are normally fairly difficult to crack. Insiders willing to walk the data out the door avoid all the security around the digital perimeter and nets more complete, more valuable identity-theft data as well.
Makes simple embezzlement of a few million look hopelessly old fashioned and even makes hacking your way in from outside look like more trouble than it's worth, for payoff that's not nearly as high.