23 Cases of Insider Bank Threats

It is reported that at least 60% of cyber-attacks in financial institutions are attributed to privileged users, third-party partners, or malicious employees. This occasionally happens through employee negligence, or when an employee has malicious intentions, leading them to commit deliberate sabotages. The threats have become hard to control since these types of threat factors normally use authorized information and are considered safe when accessing the organizational network. Banks and other financial institutions are considered one of the top targets and have lead to the loss of billions of customers’ records over the past few years. According to a 2018 Cost of Insider Threats: Global Organizations report, “a malicious insider threat can cost an organization $2.8M per year, or an average of $604,092 per incident.”

Verizon’s breakdown was that 77% of internal breaches were deemed to be by employees, 11% by external factors only, 3% were from partners, and 8% involved in some kind of internal-external collusion which makes them hard to categorize. An annual DBIR report states that since 2010, internal attackers account for almost one in five successful breaches.

A Gartner study on criminal insider threats found that 62% of insiders with malicious intent are categorized as people that are looking for a supplemental income. Important to note that seniority had little almost no effect in this category. Just 14% of persistently malicious insiders were in a leadership role and approximately 1/3 had sensitive data access.

Few more interesting figures to share based on a survey, a majority of 53% confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). 27% percent of organizations say insider attacks have become more frequent. The vast majority (86%) of organizations already have or are building an insider threat program. 35% have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.

I did not include third-party provider (TTP) insider breaches impacted directly banks or other types of breaches such as lost backup storages, mailing errors, skimmers, and printing errors, although those types of breaches have occurred.

This post looks into the aftermath of insider threats across different banking institutions around the world. Please take note that the content and any of the opinions expressed are solely my own, and do not express the views or opinions of my employer.

JP Morgan Chase

  • The now-former banker at JP Morgan Chase, Peter Persaud, as reported Persaud sold personal identifying information (PII) and other account information, including the personal identification numbers (PIN) of bank customers. Persaud was first exposed in 2014 when he sold account information to a confidential informant for a sum of $2,500. Later, Persaud reportedly offered four additional accounts for approximately $180,000. Court documents showed that Persaud told the undercover officer that he needed to “take it easy”, otherwise the bank may realize he had accessed all of the bank accounts that “got hit”.
“Persaud abused his position by victimizing unsuspecting customers, and will now pay the penalty for his fraudulent conduct,” -Richard Donoghue, United States Attorney for the Eastern District of New York
  • Another former JP Morgan Chase investment advisor, Michael Oppenheim, was accused in a civil complaint of stealing more than $20M from the bank’s clients between 2011 and 2015. Oppenheim claimed to have invested their money in low-risk municipal bonds and sent doctored account statements reportedly showing earned profits on those investments. Throughout the years, Oppenheim took steps to conceal his fraud. For instance, when a customer asked for a statement reflecting his municipal bond holdings, he created false account statements. Additionally, there were times Oppenheim copied the customers’ details onto an account statement reflecting the holdings of another customer, then provided the fabricated statement to convince the customer that he had purchased the municipal bonds as promised. In another instance, Oppenheim transferred money from one customer to another in order to replenish the funds he had previously stolen.
“We allege that Oppenheim promised his customers that he would invest their money in safe and secure investments, but he seized their funds and aggressively played the stock market in his own accounts,” said Amelia A. Cottrell, Associate Director of the SEC’s New York Regional Office.
  • In a different case of an insider at JP Morgan Chase, it was reported that for over two years JP Morgan Chase bankers could access and issue ATM cards for the 15 accounts of elderly and deceased of the bank’s clients. Dion Allison was accused of stealing $400,000 from accounts by searching for customers with high, stagnant balances and Social Security deposits. With the help of two of the banker’s friends, the funds were withdrawn by using issued ATMs around NYC.
“Since I was 16, I worked in the financial field, I did internships and everything, now my reputation is tarnished because of this,” — Jonathan Francis, An ex-banker who was wrongfully implicated in this case.
  • It was reported that JPMorgan Chase in 2013 fired an executive in charge of forensics investigations, Peter Cavicchia, for snooping on top executives at the company. Cavicchia, a former U.S. Secret Service agent, led a team of 120 engineers from Palantir to oversee the use of data analytics to spot signs of misbehavior among JPMorgan employees.

Morgan Stanley

In 2015, Morgan Stanley, one of the largest financial service companies in the world, was forced to pay a $1M penalty for failing to protect their customers’ records. This was after the company lost $730,000 in customer records to hackers. It was reported in a post published on Pastebin where six million account records of Morgan Stanley clients were being offered. In the following weeks, a new post was shared on a website pointing to the Speedcoin platform; It featured a teaser of real records from 900 different accounts and provided a link for people interested in purchasing more. This activity was traced to Galen Marsh, an individual that was employed in the private wealth management division of Morgan Stanley. Marsh was originally a Customer Service Associate and then became a Financial Advisor in the Manhattan office where he provided financial and investment services to particular private wealth management clients.

It was reported that Marsh conducted a total of approximately 6,000 unauthorized searches in the computer systems, and thereby obtained confidential client information, including names, addresses, telephone numbers, account numbers, fixed-income investment information, and account values, totaling approximately $730,000 from client accounts for about three years. Marsh uploaded the confidential client information to a personal server at his home. Ironically enough, the investigators confirmed that Marsh’s home-server was hacked, the very same server that was used by Marsh to exfiltrate customer data from Morgan Stanley.

“It is probable that the client data was extracted from Mr. Marsh’s home as a result of outside hackers. In fact, based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online.” — Sentencing Memorandum

Huaxia Bank

Qisheng as a senior programmer at the bank, realized withdrawals that were completed close to midnight were not being recorded properly. That meant customers could access cash from ATM machines without the amount of money in their accounts being affected. Qisheng discovered the flaw in the system in 2016 and in November that year he inserted a few scripts in the banking system which he said would allow him to “test” the loophole without triggering an alert. For more than a year Qisheng made cash withdrawals of between $740 to $2,965 from a dummy account the bank used to test its systems. By January 2018 with about 1,358 withdrawals, Qisheng amassed over a $1M. The irregular activity in the dummy account eventually detected and verified during a manual check by the bank.

Prior to Qisheng arrest, he decided to return all of the money he withdrew to the bank. Qisheng explained to the bank that the repeated withdrawals had all been part of him testing the system and that to tell the bank he was doing this wouldn’t have been worth the effort. Interesting to note that Huaxia Bank reportedly asked the police to drop the case, accepting Qisheng’s explanation that he was merely testing the bank’s security and was holding onto the money for the bank to reclaim. The courts didn’t “buy” the argument, considering that Qisheng moved the money to his personal bank account, instead of the bank’s dummy account and investing in the stock market.

J. Safra Sarasin

Zurich court convicted a former employee Eckart Seith of Bank J. Safra Sarasin AG of corporate espionage for the leaking of internal documents to a lawyer related to a controversial tax deal. Interesting to mention that Seith described himself as a whistleblower in this case.

“The Zurich District Court condemns three persons, accused of transferring a bank customer list to a German lawyer, for multiple violations of the banking law,”
“The first conviction at Cum-Ex concerns a fraudster instead of a person who has contributed to the investigation of the billion dollar raid Cum-Ex.”

ING Bank

During a project carried out by Risk Center of TBB regarding information security, suspicious inquiries rendered by an ING Bank employee were found. During an investigation in ING Bank in October 2018, the bank concluded that the breach caused by disabling the authorization system. This resulted in compromising IDs and names of 19,055 individuals and credit reports, address information and phone number of 1,172 sole proprietorships and partnership companies.

TD Bank

  • In 2011 a federal grand jury has indicted a former TD Bank employee Jennell Digby a call center representative for her alleged role in a scheme involving fraudulent withdrawals totaling nearly $70K from TD bank branches. The indictment alleges that a co-conspirator Kashon Adade provided Social Security numbers to Digby in exchange for account information retrieved by Digby as she had the access to TD Bank’s client information. As part of the bank fraud scheme, Adade recruited individuals to open bank accounts and turn over the account documents and debit cards to them. Adade then deposited or directed others to deposit, checks drawn on closed accounts or accounts with insufficient funds into the newly opened accounts, and then withdrew money from the accounts or conducted check card transactions before the bank determined that the checks were unfunded.
  • In a different case, eight people including a former bank teller were charged with participating in an identity theft ring that used account information stolen from customers TD Bank. The indictment charges them in connection with 21 separate thefts across New Jersey between April and July 2013 that totaled $155,500 and involved the use of eight stolen identities. The thefts ranged in amount from $3,500 to $9,000. The individuals who posed as account holders were provided with forged New York driver’s licenses and withdrawal slips that were already completed so that they could conduct the fraudulent transactions. The fake account holders allegedly included drug addicts and homeless persons who were sometimes provided with clothing to wear in the banks. It was reported that Bronthie Charles stole the identities of TD Bank customers while working for the bank in New York from January 2012 through May 2013, and provided the information to Divine Garcia, who allegedly was the leader of the ring.

Goldman Sachs

  • It was reported that a former Goldman Sachs programmer Sergey Aleynikov decided to accept an offer tripling his salary (about $1.2M) from Teza Technologies. On his way out, Aleynikov decided to download to a flash drive just 32 of about 1,224 megabytes of a code of high-frequency trading code for the HFT software he’d been working on. After uploading the source code to the flash drive, Aleynikov transferred copies of it to several of his personal devices and subsequently shared it with his new employer. These actions caught Goldman’s eye, which led to his arrest by the FBI. Aleynikov also attempted to delete the network’s bash history showing his activity, an action which prosecutors later insisted was evidence that he knew his actions were wrong.
“the most substantial theft that the bank can remember ever happening to it,” — Joseph Facciponti, Assistant US attorney
  • In May 2018, Woojae “Steve” Jung a former Goldman Sachs banker was trialed and sentenced to three months in prison for using a secret account to reap thousands of dollars in illegal profits by trading on inside information about company clients. Steve secretly opened a separate account in a friend’s name and used it to facilitate his brother’s trades in shares of at least 10 companies based on inside information he got about deals involving the bank’s customers.
“Woojae Jung used material nonpublic information stolen from his investment bank employer to net nearly $130,000 in illegal gains,” — Geoffrey Berman, U.S. Attorney
“While it seemed like I was helping my family in the short term, my poor judgment has led to larger, unfathomable problems and irrevocable damage,” — Jung wrote to U.S. District Judge Lewis Kaplan

‘The London Whale’

‘The London Whale’ scandal resulted in over $6 billion of trading losses to JPMorgan Chase. The claims included wire fraud, falsification of books and records, false filings with the Securities and Exchange Commission, and conspiracy to commit all of those crimes. The individuals’ intent remains unclear, while the charges two of former derivatives traders were dropped. The Department of Justice stated, “no longer believes that it can rely on the testimony” of Bruno Iksil.

“The top U.S. securities regulator on Friday dropped its civil lawsuit accusing two former JPMorgan Chase & Co (JPM.N) traders of trying to hide some of the bank’s $6.2 billion of losses tied to the 2012 ‘London Whale’ scandal.”

Wells Fargo

  • Wells Fargo reported insider fraud by employees who created almost 2M accounts for their clients without their knowledge or consent. Wells Fargo’s clients took notice when they started receiving charges for fees they did not anticipate, together with credit or debit cards that they did not expect. Initially, the blame was placed on an individual Wells Fargo branch workers and managers. The blame later shifted top-down to the opening of many accounts for clients through cross-selling. This insider fraud was engineered by particular managers of the bank in collaboration with other bank employees. By opening these accounts, Fargo employees were able to access credits illegally. The fraud led to the CFPB fining the bank an estimated $100M and a total of nearly $3 billion when counting the remainder of the losses and fines. The illegal activity has also made the bank face other civil and criminal lawsuits, as well as losing the trust of their customers
“the widespread illegal practice of secretly opening unauthorized deposit and credit card accounts.” — Consumer Financial Protection Bureau
  • In a different case, when a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Sinderbrand expected to receive a selection of emails and documents related to the case. But what landed in Sinderbrand’s hands on went far beyond what his lawyer had asked for: Wells Fargo had turned over — by accident, according to the bank’s lawyer — an unencrypted CD with confidential information of about 50,000 of the bank’s wealthiest clients. The 1.4 gigabytes of files that Wells Fargo’s Angela Turiano lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them. Most are customers of Wells Fargo Advisors, the arm of the bank that caters to high-net-worth investors.
“I strongly believe that if you and I meet asap, we can find a solution acceptable to both parties.” — Gary Sinderbrand wrote in an email to Wells Advisors regional manager
“This was the unfortunate result of an unintentional human error involving a spreadsheet,” — Shea Leordeanu, Spokeswoman for Wells Fargo Advisors
“Unbeknownst to me, the view I was using to conduct the review has a set limit of documents that it showed at one time,” said Wells Fargo’s attorney, Angela Turiano. “I thought I was reviewing a complete set, when in fact, I only reviewed the first thousand documents.”

Bangladesh Bank

In 2016, Bangladesh Bank underwent a massive cyber attack, where more than $81M disappeared without a trace. The attack, originally targeting $951M, was conducted through a series of transactions and were terminated at a point when $850M was yet to be transferred through the SWIFT network. Thirty transactions amounting to $850M were blocked by the Federal Reserve Bank of New York after suspicions arose due to a spelling mistake made by the perpetrators of the crime. Nearly $101M were transferred from Bangladesh Bank’s account at the New York Fed to Philippines-based Rizal Commercial Banking Corp under fake names, which later disappeared into the casino industry; Only $20M out of $101M that was originally traced to Sri Lanka was successfully recovered from Perera’s Shalika Foundation bank account. Also, it is important to mention that the Philippines’ Anti-Money Laundering Council has accused seven bank officials of money-laundering in a complaint filed at the country’s Justice Department. Good to note that there was no definite published evidence that these breaches caused by insiders.

The malware was customized for Bangladesh Bank’s systems, Alam said, adding someone must have provided the hackers with technical details about the central bank’s computer network.” — Bangladesh police deputy inspector general, Mohammad Shah Alam

It was also reported and published on several reliable sources that cybercriminal gang Lazarus group linked to the Philippines and Bangladesh bank attack.

“We’re pretty sure it was the work of Lazarus group.” and “We don’t do attribution, we publish only the facts.” -Vitaly Kamluk researcher at the Kaspersky Lab

Punjab National Bank

Punjab National Bank in India parted with almost $43M after Gokulnath Shetty, a bank employee, used unauthorized access to a susceptible password in the SWIFT interbank transaction system. The fraudulent act was done to release funds in a highly complex transactional chain schemed up by Nirav Modi. It was reported that the bank officials issued a series of fraudulent “Letters of Undertaking” and sent them to overseas banks, then to a group of Indian jewelry companies.

A Letter Of Undertaking, or LOU, is a document issued by a bank to a person or a firm. This LOU is generally used for international transactions and is issued by keeping in mind the credit history of the party concerned. The party can then avail Buyer’s Credit against this LOU from a foreign bank.

Suntrust Bank

In February 2018, Suntrust Bank became aware of an attempted data breach by a now-former employee that downloaded client information which triggered an internal investigation that led to its discovery. It was reported that the compromised 1.5M client information data included clients names, addresses, phone numbers, and banking balances; However, the stolen data did not include information, such as social security numbers, account numbers, PINs, and passwords. To combat the increasing concern of identity theft and fraud, Suntrust offered its clients services like credit monitoring, dark web monitoring, identity “restoration assistance”, and $1M identity theft insurance. In addition, the bank heightened its existing security protocols, like ongoing monitoring of accounts, FICO score program, alerts, tools, and zero-liability fraud protection.

Later, Morgan & Morgan has filed a proposed class-action lawsuit in which they seek damages for the theft of the plaintiffs’ personal and financial information, as well as imminent and impending injury as a result of identity theft and potential fraud, improper disclosure of personally identifiable information, inadequate notification of the data breach, and loss of privacy.

“The lawsuit, which we filed on behalf of our clients and the 1.5 million consumers affected by the data breach, seeks to hold SunTrust accountable from its acknowledged failure to keep safe the information entrusted to it” — Morgan & Morgan’ lawyer John Yanchunis

Citigroup

  • A former Citigroup VP Gary Foster was sentenced to 97 months in prison for embezzling more than $22M from the bank. Foster admitted that he transferred funds from various Citigroup to Citigroup’s cash account and then to his private account at JPMorgan Chase. It was reported that Foster was able to evade detection for years by making false accounting entries that made it seem like the wire transfers were in support of existing Citigroup contracts when they were actually being transferred to his account, according to the complaint. The fraud was uncovered during an internal audit of Citigroup’s treasury department.
“I directed funds to be wired into my personal account at JPMorgan.” — Gary Foster
  • In a different case, Lennon Ray Brown admitted causing damage to a protected Citibank computer, was sentenced to 21 months in federal prison and ordered to pay $77,200 in restitution. Brown knowingly transmitted a code and command to 10 core Citibank Global Control Center routers, and by transmitting that code, erased the running configuration files in nine of the routers, resulting in a loss of connectivity to approximately 90% of all Citibank networks across North America. Right after Brown scanned his employee identification badge to exit the Citibank Regents Campus.
“They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team. Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.” — Text that Brown sent to a coworker shortly after he shut down Citibank’s system

UBS

Former UBS trader Kweku Adoboli was convicted and sentenced to seven years in jail for losing the bank more than $2 billion. Beginning in 2008, Adoboli started using the bank’s money for unauthorized trades. Adoboli entered false information into UBS’s computers to hide the risky trades he was making. He exceeded the bank’s per-employee daily trading limit of $100M and failed to hedge his trades against risk. UBS launched an internal investigation into Adoboli’s trades. On 14 September 2011, Adoboli wrote an e-mail to his manager admitting to booking false trades. His trades cost the bank $2B and wiped off $4.5B from its share price. The trading losses he incurred while trading for his bank were the largest unauthorized trading losses in British history.

“There is a strong streak of the gambler in you. You were arrogant to think the bank’s rules for traders did not apply to you.” — Mr Justice Brian Keith
“I take responsibility for my actions and the shitstorm that will now ensue. I am deeply sorry to have left this mess for everyone and to have put my bank and my colleagues at risk.” — Adoboli wrote an e-mail to his manager admitting to booking false trades

Compass Bank

In July 2007, James Kevin Real, a computer programmer for Compass Bank, was indicted on six counts of financial institution fraud, four counts of access device fraud, two counts of aggravated identity theft. Real had stolen a USB drive with 1M customer records to commit debit-card fraud. Compass Bank claimed that the customer records contained limited information. Together with Laray Byrd who bought a magnetic strip encoder and software to encode blank cards the information onto counterfeit cards. With 250 counterfeit debit cards, and his accomplice were able to withdraw money from ATMs of 45 different bank accounts typically in amounts not exceeding $500. It was reported also that Real would disguise when making the ATM withdrawals.

Bank of America

It was reported that Bank of America lost at least $10M as a result of an insider threat that sold “about 300” customer data to cyber-criminals.

Note: This is the only information I could find during my research on the Bank of America case, if you have additional public information, I would welcome you sharing it.

“Involved, a now-former associate, who provided customer information to people outside the bank, who then used the information to commit fraud against our customers,” — Bank of America spokeswoman, Colleen Haggerty, said in an email message.

Conclusion — Do the right thing.

  • I would suggest reading Common Sense Guide to Mitigating Insider Threats that provides the current recommendations of the CERT Division. The guide describes 21 practices that organizations should implement to prevent and detect insider threats. The appendices provide a list of information security best practices, a mapping of the guide’s practices to established security standards, a breakdown of the practices by organizational group, and checklists of activities for each practice.
  • Explore the study focuses on the threat to information security posed by insiders.
  • Based on published research carried out CV checks of an unnamed organization’s 5,000 employees and found, 80% of CVs contain discrepancies, 21% using inflated job titles and 12% falsifying grades. A further study showed that almost a third of 619,000 pre-employment checks undertaken over a year-long period uncovered discrepancies.
  • Consultants and other third-party vendors of an insider actor can be overlooked when it comes to managing insider risk. While not a part of the core employee base, these people also receive access to the bank’s sensitive data. These folks are likely to be familiar with the organization’s cybersecurity policies and procedures as permanent bank’s employees. Therefore, it’s important for organizations to see contractors as a part of the larger organization when evaluating and managing risk, and offer comprehensive security training to them as well.
  • Finding potential buyers for stolen confidential data is not as hard as we might think. Staff at corporations are selling the company’s internal secrets for cash to hackers on one of the most famous dark web markets. Besides selling their company’s secret information, researchers reported that they found evidence of rogue staff, in some cases, even working with hackers to infect their company networks with malware. Kick Ass Marketplace offers a subscription of up to one bitcoin a month to its clients for giving them access to a variety of “vetted and accurate” insider information that is posted onto the website. Every post is assigned a “confidence rating,” along with advice on whether to buy and sell stock in the associated company, allowing its clients to cash in on the insider secrets they collected. Kick Ass Marketplace posts about five high confidence insider trading reports every week and makes some US $35,800 a week.

Another dark web marketplace called “The Stock Insiders” that only focuses on insider trading opportunities. The team discovered that one hacker was ready to pay the insider “7 figures on a weekly basis” for helping him gaining access to a bank’s computer.

“In one instance, a hacker solicited bank insiders to plant malware directly onto the bank’s network,”- Ido Wulkan (IntSights), Tim Condello (RedOwl), David Pogemiller (RedOwl).
  • If you are still not sure what that may be, please invite me for a friendly coffee to discuss it.