A data breach at Bank of America in May involved not theft of cash, but an internal employee who leaked customer names, addresses, Social Security numbers, phone, bank account, driver's license, PIN and account-balance numbers as well as all the other information used to verify a customer's identity – birthdays, family names, email addresses and other information difficult to obtain any other way.
The scam cost more than $10 million in fraudulent spending, and caused a crisis of confidence at the bank.
It also caused a change in the way BofA looks at – and checks for – internal security risks. Even at a bank, not all the theft has to be an employee swiping cash.
Though you wouldn't know it from Citi's example, bank databases are normally fairly difficult to crack. Insiders willing to walk the data out the door avoid all the security around the digital perimeter and nets more complete, more valuable identity-theft data as well.
Makes simple embezzlement of a few million look hopelessly old fashioned and even makes hacking your way in from outside look like more trouble than it's worth, for payoff that's not nearly as high.