In the wake of news that a Wells Fargo bank access code had been used to steal thousands of consumers’ personal information, the bank has launched a full-scale investigation into the crime.
The code was used to access information from MicroBilt, which describes itself as the “single source industry leader in risk management information” and provides consumer information to Wells Fargo and other banks and businesses, between May and June, Wells Fargo spokeswoman Mary Berg told InternetNews.com.
MicroBilt only notified Wells Fargo on July 1, and both companies told InternetNews.com that they suspended their dealings by mutual agreement. MicroBilt declined further comment because “the incident is under investigation by the Secret Service,” a MicroBilt spokesperson said.
Wells Fargo has notified the Secret Service, and is also conducting its own investigation into the matter. While Berg would not say what steps the bank is taking “because the matter is under investigation,” she did say that those with the authority to use this type of access code “are the folks who work on loan applications for Wells Fargo.”
Data breaches are expensive, and loan applications staff at Wells Fargo are now under a microscope. “We take information security seriously, and we’re always on the alert for this kind of thing,” Berg said. “We’re looking into how someone got hold of that access code.”
She declined to say what aroused MicroBilt’s suspicions because the matter is under investigation.
Berg said about 5,000 consumers are affected by the breach. “MicroBilt sent us a list of about 7,000 names and, after we took out any duplicate names, the list worked [out] to about 5,000,” she added. “We’re still working through it and are still notifying consumers,” she added.
Only a few of the victims are customers of Wells Fargo, Berg said, but she could not be more exact “because this is under investigation by law enforcement.” Wells Fargo has given victims a one-year subscription to identity theft protection service Identity Guard, and is working with the credit bureaus to “make sure that any unauthorized entries won’t affect their credit ratings,” Berg said.
“We’re taking responsibility to protect these people because that’s our number one priority, even if they’re not our customers,” Berg added.
Nine of the victims are New Hampshire residents, Richard Head, an associate attorney general with the New Hampshire Department of Justice, told InternetNews.com. The New Hampshire banking department may look into this breach because the state’s laws put banking breaches under its purview, Head added.
The breach at MicroBilt occurred because, like other companies that offer business to business (B2B) services, it uses authentication that generally is considered good enough, Eric Skinner, chief technology officer of security vendor Entrust (NASDAQ: ENTU), told InternetNews.com.
“They looked around, saw what everybody else was using and used the same thing,” Skinner said. “It’s not unusual that they don’t have banking-grade security applications in place.”
However, this is a wake-up call for MicroBilt and other companies providing B2B services, Skinner said. They should put more stringent security measures in place such as two-factor authentication and using fraud detection software on the back end to monitor logins and unusual user activity, he added.
“Wells Fargo seems to be taking the big PR hit because it was their code that was compromised, but the broader solution is something MicroBilt has to face,” Skinner said.
This is the second breach at a major company announced this month. Earlier this month, two men were arrested by the FBI on charges relating to the illegal access and sale of computers containing personal information of loan applicants at Countrywide Home Loans.
One, Rene Rebollo, is accused of giving out information to third parties over a period of two years while working as a senior financial analyst at the company’s sub-prime mortgage division. He allegedly downloaded data to his own flash drives and put it up for sale. The other, Wahid Siddiqi, is accused of buying the data from Rebollo.
Countrywide has since fired Rebollo.