It is reported that at least 60% of cyber-attacks in financial institutions are attributed to privileged users, third-party partners, or malicious employees. This occasionally happens through employee negligence, or when an employee has malicious intentions, leading them to commit deliberate sabotage. The threats have become hard to control since these types of threat factors normally use authorized information and are considered safe when accessing the organizational network. Banks and other financial institutions are considered one of the top targets and have lead to the loss of billions of customers’ records over the past few years. According to a 2018 Cost of Insider Threats: Global Organizations report, “a malicious insider threat can cost an organization $2.8M per year, or an average of $604,092 per incident.”
Verizon’s breakdown was that 77% of internal breaches were deemed to be by employees, 11% by external factors only, 3% were from partners, and 8% involved in some kind of internal-external collusion which makes them hard to categorize. An annual DBIR report states that since 2010, internal attackers account for almost one in five successful breaches.
A Gartner study on criminal insider threats found that 62% of insiders with malicious intent are categorized as people that are looking for a supplemental income. Important to note that seniority had little to almost no effect in this category. Just 14% of persistently malicious insiders were in a leadership role and approximately 1/3 had sensitive data access.
This post looks into the aftermath of insider threats across different banking institutions around the world. Please take note that the content and any of the opinions expressed are solely my own, and do not express the views or opinions of my employer.
JP Morgan Chase
The now-former banker at JP Morgan Chase, Peter Persaud, reportedly sold personal identifying information (PII) and other account information, including the personal identification numbers (PIN) of bank customers. Persaud was first exposed in 2014 when he sold account information to a confidential informant for a sum of $2,500. Later, Persaud reportedly offered four additional accounts for approximately $180,000. Court documents showed that Persaud told the undercover officer that he needed to “take it easy”, otherwise the bank may realize he had accessed all of the bank accounts that “got hit”.
“Persaud abused his position by victimizing unsuspecting customers, and will now pay the penalty for his fraudulent conduct,” -Richard Donoghue, United States Attorney for the Eastern District of New York
JP Morgan Chase II
Another former JP Morgan Chase investment advisor, Michael Oppenheim, was accused in a civil complaint of stealing more than $20M from the bank’s clients between 2011 and 2015. Oppenheim claimed to have invested their money in low-risk municipal bonds and sent doctored account statements reportedly showing earned profits on those investments. Throughout the years, Oppenheim took steps to conceal his fraud. For instance, when a customer asked for a statement reflecting his municipal bond holdings, he created false account statements. Additionally, there were times Oppenheim copied the customers’ details onto an account statement reflecting the holdings of another customer, then provided the fabricated statement to convince the customer that he had purchased the municipal bonds as promised. In another instance, Oppenheim transferred money from one customer to another in order to replenish the funds he had previously stolen.
“We allege that Oppenheim promised his customers that he would invest their money in safe and secure investments, but he seized their funds and aggressively played the stock market in his own accounts,” said Amelia A. Cottrell, Associate Director of the SEC’s New York Regional Office.
JP Morgan Chase III
In a different case of an insider at JP Morgan Chase, it was reported that for over two years JP Morgan Chase bankers could access and issue ATM cards for the 15 accounts of elderly and deceased bank clients. Dion Allison was accused of stealing $400,000 from accounts by searching for customers with high, stagnant balances and Social Security deposits. With the help of two of the banker’s friends, the funds were withdrawn by using issued ATMs around NYC.
“Since I was 16, I worked in the financial field, I did internships and everything, now my reputation is tarnished because of this,” – Jonathan Francis, an ex-banker who was wrongfully implicated in this case.
In 2015, Morgan Stanley, one of the largest financial service companies in the world, was forced to pay a $1M penalty for failing to protect their customers’ records. This was after the company lost $730,000 in customer records to hackers. It was reported in a post published on Pastebin, where six million account records of Morgan Stanley clients were being offered. In the following weeks, a new post was shared on a website pointing to the Speedcoin platform. It featured a teaser of real records from 900 different accounts and provided a link for people interested in purchasing more. This activity was traced to Galen Marsh, an individual who was employed in the private wealth management division of Morgan Stanley. Marsh was originally a Customer Service Associate and then became a Financial Advisor in the Manhattan office, where he provided financial and investment services to particular private wealth management clients.
It was reported that Marsh conducted a total of approximately 6,000 unauthorized searches in the computer systems, and thereby obtained confidential client information, including names, addresses, telephone numbers, account numbers, fixed-income investment information, and account values, totaling approximately $730,000, from client accounts for about three years. Marsh uploaded the confidential client information to a personal server at his home. Ironically enough, the investigators confirmed that Marsh’s home-server was hacked, the very same server that was used by Marsh to exfiltrate customer data from Morgan Stanley.
“It is probable that the client data was extracted from Mr. Marsh’s home as a result of outside hackers. In fact, based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online.” –Sentencing Memorandum
‘The London Whale’
‘The London Whale‘ scandal resulted in over $6 billion of trading losses to JPMorgan Chase. The claims included wire fraud, falsification of books and records, false filings with the Securities and Exchange Commission, and conspiracy to commit all of those crimes. The individuals’ intent remains unclear, while the charges pertaining to two former derivatives traders were dropped. The Department of Justice stated that it “no longer believes that it can rely on the testimony” of Bruno Iksil.
“The top U.S. securities regulator on Friday dropped its civil lawsuit accusing two former JPMorgan Chase & Co (JPM.N) traders of trying to hide some of the bank’s $6.2 billion of losses tied to the 2012 ‘London Whale’ scandal.”
Wells Fargo reported insider fraud by employees who created almost 2M accounts for their clients without their knowledge or consent. Wells Fargo’s clients took notice when they started receiving charges for fees they did not anticipate, together with credit or debit cards that they did not expect. Initially, the blame was placed on individual Wells Fargo branch workers and managers. The blame later shifted top-down to the opening of many accounts for clients through cross-selling. This insider fraud was engineered by particular managers of the bank in collaboration with other bank employees. By opening these accounts, Fargo employees were able to access credits illegally. The fraud led to the CFPB fining the bank an estimated $100M and a total of nearly $3 billion when counting the remainder of the losses and fines. The illegal activity has also made the bank face other civil and criminal lawsuits, as well as losing the trust of their customers.
“the widespread illegal practice of secretly opening unauthorized deposit and credit card accounts.” – Consumer Financial Protection Bureau
In 2016, Bangladesh Bank underwent a massive cyber attack, where more than $81M disappeared without a trace. The attack, originally targeting $951M, was conducted through a series of transactions that were terminated when $850M was still to be transferred through the SWIFT network. Thirty transactions amounting to $850M were blocked by the Federal Reserve Bank of New York after suspicions arose due to a spelling mistake made by the perpetrators of the crime. Nearly $101M was transferred from Bangladesh Bank’s account at the New York Fed to Philippines-based Rizal Commercial Banking Corp under fake names, which later disappeared into the casino industry. Only $20M out of $101M that was originally traced to Sri Lanka was successfully recovered from Perera’s Shalika Foundation bank account. Also, it is important to mention that the Philippines’ Anti-Money Laundering Council has accused seven bank officials of money-laundering in a complaint filed at the country’s Justice Department. Good to note that there was no definite published evidence that these breaches were caused by insiders.
“ The malware was customized for Bangladesh Bank’s systems, Alam said, adding someone must have provided the hackers with technical details about the central bank’s computer network.” – Bangladesh police deputy inspector general, Mohammad Shah Alam
“We’re pretty sure it was the work of Lazarus group.” and “We don’t do attribution, we publish only the facts.” -Vitaly Kamluk, researcher at the Kaspersky Lab
Punjab National Bank
Punjab National Bank in India parted with almost $43M after Gokulnath Shetty, a bank employee, used unauthorized access to a susceptible password in the SWIFT interbank transaction system. The fraudulent act was done to release funds in a highly complex transactional chain schemed up by Nirav Modi. It was reported that the bank officials issued a series of fraudulent “Letters of Undertaking” and sent them to overseas banks, then to a group of Indian jewelry companies.
A Letter Of Undertaking, or LOU, is a document issued by a bank to a person or a firm. This LOU is generally used for international transactions and is issued by keeping in mind the credit history of the party concerned. The party can then avail Buyer’s Credit against this LOU from a foreign bank.
In February 2018, Suntrust Bank became aware of an attempted data breach by a now-former employee who downloaded client information, which triggered an internal investigation that led to its discovery. It was reported that the compromised 1.5M client information data included clients’ names, addresses, phone numbers, and banking balances. However, the stolen data did not include information such as social security numbers, account numbers, PINs, and passwords. To combat the increasing concern of identity theft and fraud, Suntrust offered its clients services like credit monitoring, dark web monitoring, identity “restoration assistance”, and $1M identity theft insurance. In addition, the bank heightened its existing security protocols, like ongoing monitoring of accounts, FICO score program, alerts, tools, and zero-liability fraud protection.
Later, Morgan & Morgan filed a proposed class-action lawsuit in which they sought damages for the theft of the plaintiffs’ personal and financial information, as well as imminent and impending injury as a result of identity theft and potential fraud, improper disclosure of personally identifiable information, inadequate notification of the data breach, and loss of privacy.
“The lawsuit, which we filed on behalf of our clients and the 1.5 million consumers affected by the data breach, seeks to hold SunTrust accountable from its acknowledged failure to keep safe the information entrusted to it” – Morgan & Morgan’ lawyer John Yanchunis.
Bank of America
“Involved, a now-former associate, who provided customer information to people outside the bank, who then used the information to commit fraud against our customers,” – Bank of America spokeswoman, Colleen Haggerty, said in an email message.
Conclusion – Do the right thing.
Insider threats are a major problem within the banking industry and occur in countries all around the world. Both funds and data are at risk, and with over three-quarters of breaches committed by employees, it is clear that financial institutions need visibility into what is happening on the network, and the ability to hunt for threats and determine attribution in a timely manner.