Programmer who stole drive containing 1 million bank records gets 42 months
Only 250 customers notified of massive breach
Computerworld - A former programmer at Birmingham, Ala.-based Compass Bank who stole a hard drive containing 1 million customer records and used some of that information to commit debit-card fraud was sentenced last week to 42 months in prison by an Alabama district court judge.
James Kevin Real was also ordered to pay back the more than $32,000 that he and accomplice Laray Byrd fraudulently withdrew from customer accounts between May and July of last year using those counterfeit debit cards.
The Compass Bank compromise is one of the largest bank-related breaches yet revealed, in terms of the number of customer records that were potentially exposed. The incident, however, appears to have surfaced for the first time only after the Birmingham News carried a story on the sentencing last week.
Ed Bilek, a spokesman for the bank, said today that Real had used the information stolen from Compass Bank's database to create about 250 counterfeit debit cards. He was able to use about 45 of those cards to access and withdraw cash from customer accounts at the bank before he was arrested.
Court records associated with the case did not mention precisely how many customer records Real stole. But Bilek today said that the database on the hard drive Real stole contained "limited information" on about 1 million Compass Bank customers. He added that the records in the database were in a format that was not "readily usable" for committing fraud or for accessing customer account information easily. As a result, apart from the 250 or so individuals from whose accounts Real fraudulently withdrew money, no other customers were notified of the incident, Bilek said.
Bilek did not offer a clarification of what the bank meant when it said the data was stored in a format that was not "readily usable."
As of this February, Alabama was just one of 11 states that do not require companies to automatically notify consumers of data breaches involving the compromise of their personal data. In states that do require such notification, Compass Bank would have been required to notify all 1 million customers of the potential compromise of their data, if the information had been stored in unencrypted form on the stolen hard disk.
Some states even provide for penalties for companies that fail to promptly notify consumers of data breaches involving their personal data.
According to court documents, Real stole Compass' database information in May 2007. The database included customer names, account numbers and passwords. He then used the information from the database to make counterfeit debit cards using a magnetic strip encoder and software purchased by Byrd. Between June and July 2007, the pair proceeded to use the counterfeit cards to access Compass customer accounts and withdraw funds from them, typically in amounts not exceeding $500 or so. The documents show that Real would wear disguises when making the ATM withdrawals -- in fact he was apprehended while wearing one.
Real pleaded guilty last year to a 14-count charge that included fraud as well as the use of unauthorized access devices and aggravated identity theft.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts