Bank IT tech steals data (and money)
It is one of a bank’s worst nightmare. And it probably is one of yours. Imagine someone that can access your personal financial data to steal it and abuse it. Banks do (almost?) everything they can to prevent unauthorized access to your data but bank staff themselves obviously need to have access to your data in order to serve you.
In this data theft scenario, the IT support guy is like the butler in a classic murder novel; he did it. Adeniyi Adeyemi was an IT tech at Bank of New York Mellon. He confessed that he stole sensitive information belonging to 2,000 bank employees and that he used that data to steal more than US$1 million from charities. Technically: grand larceny, identity theft, money laundering, scheme to defraud, computer tampering and unlawful possession of personal identification information.
Adeniyi worked as a contract computer technician at the Bank’s Manhattan headquarters, and the data he allegedly stole belonged primarily to co-workers in the bank’s IT department. The police executed a search warrant at Mr. Adeyemi’s apartment on April 30, 2009. There, “investigators found dozens of Bank of New York employees’ credit reports on his computer, along with many other documents containing personal identifying information of more than 150 Bank of New York employees. In a storage locker Mr. Adeyemi rented, the investigative team found notebooks containing hundreds of names, social security numbers, account numbers, and other personal data, along with numerous credit cards in Bank of New York employees’ names. Investigators also recovered $30,000 in cash from Mr. Adeyemi’s apartment. Mr. Adeyemi was arrested in the course of the search warrant execution, and remained in custody ever since.
Adeyemi confessed to have stolen more than $1.1 million over an eight-year period from charities by transferring funds from the charities’ bank accounts into bogus accounts he’d set up using the personal information of his former co-workers, prosecutors say. He “input the charities’ banking details, including account and routing numbers, to set up wire transfers on the E*Trade and Fidelity sites from the charities’ account to his dummy accounts, and withdrew the stolen funds or transferred them to a second layer of dummy accounts,” the district attorney’s office said in its press release.
More than a dozen charities were victimized, including Goodwill Industries of Greater New York, the Jacksonville Humane Society and the International Association of Women Judges, all of which had publicized their bank account details in order to receive donations.
Adeyemi also admitted to stealing money from his former colleagues, taking control of their online bank accounts and then wiring money to his dummy accounts, the district attorney said. Wiring just under $10,000 at a time to avoid hitting the threshold at which all financial institutions must report transactions to the US Treasury, he is accused of stealing more than $128,000 from staff.
He spent the proceeds on U.S. Postal Service money orders, to pay his rent and credit cards, and to purchase goods that were then shipped to Nigeria, prosecutors said.
Interestingly, the fraud is reported to have been detected not by the bank or victims, but by the New York/New Jersey Electronic Crimes Task Force of the United States Secret Service, which began surveillance on Adeyemi after tracing suspicious Internet activity at his apartment. This investigation resulted in the search of his apartment and his arrest. This is probably just half of the story, but how the case exactly came to light is an interesting point.
How about contemporary standards for IT security in banks? Do IT staff really need access to client data at all? How about monitoring what IT staff (and bank staff for that matter) are accessing? Any red flags that should have been raised during his eight year rampage? Not only banks seems to be struggling to keep client data safe. If you look at the ‘ fraud triangle’, ‘opportunity knocked’ in this case.
http://www.businessweek.com/idg/2010-07-02/ny-bank-it-tech-pleads-guilty-to-data-theft-fraud.html
http://www.newyorkcriminallawyerblog.com/2009/10/bank_of_new_york_melon_compute_1.html
http://financialcrimeonline.com/archives/802
http://www.finextra.com/news/fullstory.aspx?newsitemid=20672
