It is reported that at least 60% of cyber-attacks in financial institutions are attributed to privileged users, third-party partners, or malicious employees. This occasionally happens through employee negligence, or when an employee has malicious intentions, leading them to commit deliberate sabotages. The threats have become hard to control since these types of threat factors normally use authorized information and are considered safe when accessing the organizational network. Banks and other financial institutions are considered one of the top targets and have lead to the loss of billions of customers’ records over the past few years. According to a 2018 Cost of Insider Threats: Global Organizations report, “a malicious insider threat can cost an organization $2.8M per year, or an average of $604,092 per incident.”
Verizon’s breakdown was that 77% of internal breaches were deemed to be by employees, 11% by external factors only, 3% were from partners, and 8% involved in some kind of internal-external collusion which makes them hard to categorize. An annual DBIR report states that since 2010, internal attackers account for almost one in five successful breaches.
A Gartner study on criminal insider threats found that 62% of insiders with malicious intent are categorized as people that are looking for a supplemental income. Important to note that seniority had little almost no effect in this category. Just 14% of persistently malicious insiders were in a leadership role and approximately 1/3 had sensitive data access.
Few more interesting figures to share based on a survey, a majority of 53% confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). 27% percent of organizations say insider attacks have become more frequent. The vast majority (86%) of organizations already have or are building an insider threat program. 35% have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.
This post looks into the aftermath of insider threats across different banking institutions around the world. Please take note that the content and any of the opinions expressed are solely my own, and do not express the views or opinions of my employer.
JP Morgan Chase
- The now-former banker at JP Morgan Chase, Peter Persaud, as reported Persaud sold personal identifying information (PII) and other account information, including the personal identification numbers (PIN) of bank customers. Persaud was first exposed in 2014 when he sold account information to a confidential informant for a sum of $2,500. Later, Persaud reportedly offered four additional accounts for approximately $180,000. Court documents showed that Persaud told the undercover officer that he needed to “take it easy”, otherwise the bank may realize he had accessed all of the bank accounts that “got hit”.
“Persaud abused his position by victimizing unsuspecting customers, and will now pay the penalty for his fraudulent conduct,” -Richard Donoghue, United States Attorney for the Eastern District of New York
- Another former JP Morgan Chase investment advisor, Michael Oppenheim, was accused in a civil complaint of stealing more than $20M from the bank’s clients between 2011 and 2015. Oppenheim claimed to have invested their money in low-risk municipal bonds and sent doctored account statements reportedly showing earned profits on those investments. Throughout the years, Oppenheim took steps to conceal his fraud. For instance, when a customer asked for a statement reflecting his municipal bond holdings, he created false account statements. Additionally, there were times Oppenheim copied the customers’ details onto an account statement reflecting the holdings of another customer, then provided the fabricated statement to convince the customer that he had purchased the municipal bonds as promised. In another instance, Oppenheim transferred money from one customer to another in order to replenish the funds he had previously stolen.
“We allege that Oppenheim promised his customers that he would invest their money in safe and secure investments, but he seized their funds and aggressively played the stock market in his own accounts,” said Amelia A. Cottrell, Associate Director of the SEC’s New York Regional Office.
- In a different case of an insider at JP Morgan Chase, it was reported that for over two years JP Morgan Chase bankers could access and issue ATM cards for the 15 accounts of elderly and deceased of the bank’s clients. Dion Allison was accused of stealing $400,000 from accounts by searching for customers with high, stagnant balances and Social Security deposits. With the help of two of the banker’s friends, the funds were withdrawn by using issued ATMs around NYC.
“Since I was 16, I worked in the financial field, I did internships and everything, now my reputation is tarnished because of this,” – Jonathan Francis, An ex-banker who was wrongfully implicated in this case.
- It was reported that JPMorgan Chase in 2013 fired an executive in charge of forensic investigations, Peter Cavicchia, for snooping on top executives at the company. Cavicchia, a former U.S. Secret Service agent, oversaw the use of data analytics to spot signs of misbehavior among JPMorgan employees. Cavicchia led a team of 120 engineers from Palantir, a data-mining company.
In 2015, Morgan Stanley, one of the largest financial service companies in the world, was forced to pay a $1M penalty for failing to protect its customers’ records. This was after the company lost $730,000 in customer records to hackers. It was reported in a post published on Pastebin where six million account records of Morgan Stanley clients were being offered. In the following weeks, a new post was shared on a website pointing to the Speedcoin platform; It featured a teaser of real records from 900 different accounts and provided a link for people interested in purchasing more. This activity was traced to Galen Marsh, an individual that was employed in the private wealth management division of Morgan Stanley. Marsh was originally a Customer Service Associate and then became a Financial Advisor in the Manhattan office where he provided financial and investment services to particular private wealth management clients.
It was reported that Marsh conducted a total of approximately 6,000 unauthorized searches in the computer systems, and thereby obtained confidential client information, including names, addresses, telephone numbers, account numbers, fixed-income investment information, and account values, totaling approximately $730,000 from client accounts for about three years. Marsh uploaded the confidential client information to a personal server at his home. Ironically enough, the investigators confirmed that Marsh’s home-server was hacked, the very same server that was used by Marsh to exfiltrate customer data from Morgan Stanley.
“It is probable that the client data was extracted from Mr. Marsh’s home as a result of outside hackers. In fact, based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online.” – Sentencing Memorandum
Qisheng as a senior programmer at the bank realized withdrawals that were completed close to midnight were not being recorded properly. That meant customers could access cash from ATM machines without the amount of money in their accounts being affected. Qisheng discovered the flaw in the system in 2016 and in November that year he inserted a few scripts in the banking system which he said would allow him to “test” the loophole without triggering an alert. For more than a year Qisheng made cash withdrawals of between $740 to $2,965 from a dummy account the bank used to test its systems. By January 2018 with about 1,358 withdrawals, Qisheng amassed over $1M. The irregular activity in the dummy account eventually detected and verified during a manual check by the bank.
Prior to Qisheng’s arrest, he decided to return all of the money he withdrew to the bank. Qisheng explained to the bank that the repeated withdrawals had all been part of him testing the system and that to tell the bank he was doing this wouldn’t have been worth the effort. Interesting to note that Huaxia Bank reportedly asked the police to drop the case, accepting Qisheng’s explanation that he was merely testing the bank’s security and was holding onto the money for the bank to reclaim. The courts didn’t “buy” the argument, considering that Qisheng moved the money to his personal bank account, instead of the bank’s dummy account and investing in the stock market.
Zurich court convicted a former employee Eckart Seith of Bank J. Safra Sarasin AG of corporate espionage for the leaking of internal documents to a lawyer related to a controversial tax deal. Interesting to mention that Seith described himself as a whistleblower in this case.
According to a report by BDO, 1,755 whistleblowing reports were sent to the FCA last year, up from the 1,420 it received in 2017.
“The Zurich District Court condemns three persons, accused of transferring a bank customer list to a German lawyer, for multiple violations of the banking law,”
“The first conviction at Cum-Ex concerns a fraudster instead of a person who has contributed to the investigation of the billion dollar raid Cum-Ex.”
The following graph reflects the number of whistleblower tips received in FY 2018 by allegation type
Barclays has been fined with a $15M by a New York regulator over attempts by chief executive Jes Staley and senior management to unmask a whistleblower. It was reported that Jes Staley twice attempted to use Barclay’s internal security team to track down the authors of two anonymous letters sent to the board and a senior executive at the bank last June. On the second occasion, the security team received assistance from a US law enforcement agency but still failed to identify the whistleblowers.
“One of our colleagues was the subject of an unfair personal attack sent via anonymous letters addressed to members of the board and a senior executive at Barclays. The allegations related to personal issues from many years ago, and the intent of the correspondents in airing all of this was, in my view, to maliciously smear this person.
In my desire to protect our colleague, however, I got too personally involved in this matter. My hope was that if we found out who was sending these letters we could try and get them to stop the harassment of a person who did not deserve that treatment. Nevertheless, I realise that I should simply have the compliance function handle this matter, as they were doing. This was a mistake on my part and I apologise for it.” – James Edward Staley, In an internal email to Barclays staff
During a project carried out by Risk Center of TBB regarding information security, suspicious inquiries rendered by an ING Bank employee were found. During an investigation in ING Bank in October 2018, the bank concluded that the breach caused by disabling the authorization system. This resulted in compromising IDs and names of 19,055 individuals and credit reports, address information and phone number of 1,172 sole proprietorships and partnership companies.
- In 2011 a federal grand jury has indicted a former TD Bank employee Jennell Digby a call center representative for her alleged role in a scheme involving fraudulent withdrawals totaling nearly $70K from TD bank branches. The indictment alleges that a co-conspirator Kashon Adade provided Social Security numbers to Digby in exchange for account information retrieved by Digby as she had the access to TD Bank’s client information. As part of the bank fraud scheme, Adade recruited individuals to open bank accounts and turn over the account documents and debit cards to them. Adade then deposited or directed others to deposit, checks drawn on closed accounts or accounts with insufficient funds into the newly opened accounts, and then withdrew money from the accounts or conducted check card transactions before the bank determined that the checks were unfunded.
- In a different case, eight people including a former bank teller were charged with participating in an identity theft ring that used account information stolen from customers TD Bank. The indictment charges them in connection with 21 separate thefts across New Jersey between April and July 2013 that totaled $155,500 and involved the use of eight stolen identities. The thefts ranged in amount from $3,500 to $9,000. The individuals who posed as account holders were provided with forged New York driver’s licenses and withdrawal slips that were already completed so that they could conduct the fraudulent transactions. The fake account holders allegedly included drug addicts and homeless persons who were sometimes provided with clothing to wear in the banks. It was reported that BronthieCharles stole the identities of TD Bank customers while working for the bank in New York from January 2012 through May 2013, and provided the information to DivineGarcia, who allegedly was the leader of the ring.
- It was reported that a former Goldman Sachs programmer Sergey Aleynikov decided to accept an offer tripling his salary (about $1.2M) from Teza Technologies. On his way out, Aleynikov decided to download to a flash drive just 32 of about 1,224 megabytes of a code of high-frequency trading code for the HFT software he’d been working on. After uploading the source code to the flash drive, Aleynikov transferred copies of it to several of his personal devices and subsequently shared it with his new employer. These actions caught Goldman’s eye, which led to his arrest by the FBI. Aleynikov also attempted to delete the network’s bash history showing his activity, an action which prosecutors later insisted was evidence that he knew his actions were wrong.
“the most substantial theft that the bank can remember ever happening to it,” – Joseph Facciponti, Assistant US attorney
- In May 2018, Woojae “Steve” Jung a former Goldman Sachs banker was trialed and sentenced to three months in prison for using a secret account to reap thousands of dollars in illegal profits by trading on inside information about company clients. Steve secretly opened a separate account in a friend’s name and used it to facilitate his brother’s trades in shares of at least 10 companies based on inside information he got about deals involving the bank’s customers.
“Woojae Jung used material nonpublic information stolen from his investment bank employer to net nearly $130,000 in illegal gains,” – Geoffrey Berman, U.S. Attorney
“While it seemed like I was helping my family in the short term, my poor judgment has led to larger, unfathomable problems and irrevocable damage,” – Jung wrote to U.S. District Judge Lewis Kaplan
‘The London Whale‘ scandal resulted in over $6 billion of trading losses to JPMorgan Chase. The claims included wire fraud, falsification of books and records, false filings with the Securities and Exchange Commission, and conspiracy to commit all of those crimes. The individuals’ intent remains unclear, while the charges two of former derivatives traders were dropped. The Department of Justice stated, “no longer believes that it can rely on the testimony” of Bruno Iksil.
“The top U.S. securities regulator on Friday dropped its civil lawsuit accusing two former JPMorgan Chase & Co (JPM.N) traders of trying to hide some of the bank’s $6.2 billion of losses tied to the 2012 ‘London Whale’ scandal.”
- Wells Fargo reported insider fraud by employees who created almost 2M accounts for their clients without their knowledge or consent. Wells Fargo’s clients took notice when they started receiving charges for fees they did not anticipate, together with credit or debit cards that they did not expect. Initially, the blame was placed on an individual Wells Fargo branch workers and managers. The blame later shifted top-down to the opening of many accounts for clients through cross-selling. This insider fraud was engineered by particular managers of the bank in collaboration with other bank employees. By opening these accounts, Fargo employees were able to access credits illegally. The fraud led to the CFPB fining the bank an estimated $100M and a total of nearly $3 billion when counting the remainder of the losses and fines. The illegal activity has also made the bank face other civil and criminal lawsuits, as well as losing the trust of their customers
“the widespread illegal practice of secretly opening unauthorized deposit and credit card accounts.” – Consumer Financial Protection Bureau
- In a different case, when a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Sinderbrand expected to receive a selection of emails and documents related to the case. But what landed in Sinderbrand’s hands-on went far beyond what his lawyer had asked for: Wells Fargo had turned over — by accident, according to the bank’s lawyer — an unencrypted CD with confidential information of about 50,000 of the bank’s wealthiest clients. The 1.4 gigabytes of files that Wells Fargo’s Angela Turiano lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them. Most are customers of Wells Fargo Advisors, the arm of the bank that caters to high-net-worth investors.
“I strongly believe that if you and I meet asap, we can find a solution acceptable to both parties.” – Gary Sinderbrand wrote in an email to Wells Advisors regional manager
“This was the unfortunate result of an unintentional human error involving a spreadsheet,” – Shea Leordeanu, Spokeswoman for Wells Fargo Advisors
“Unbeknownst to me, the view I was using to conduct the review has a set limit of documents that it showed at one time,” said Wells Fargo’s attorney, Angela Turiano. “I thought I was reviewing a complete set, when in fact, I only reviewed the first thousand documents.”
- In 2017, HSBC apologized after it e-mailed personal information on customers to other account holders. The e-mails contained names, e-mail addresses, countries of residence, the name of the customers’ relationship manager and HSBC customer identification numbers.
“An e-mail was sent to a small number of our retail banking customers which unfortunately included an attachment containing personal information of some of HSBC Bermuda’s customers.” – HSBC spokeswoman
- In another case in April 2007, HSBS fined with US$5.3M for a lose of an unencrypted floppy disk in the post, containing the details of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers; while in February 2008 HSBC lose an unencrypted CD containing the details of 180,000 policyholders in the post.
“It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers’ details.” – Margaret Cole from the Financial Services Authority (FSA)
In 2016, Bangladesh Bank underwent a massive cyber attack, where more than $81M disappeared without a trace. The attack, originally targeting $951M, was conducted through a series of transactions and was terminated at a point when $850M was yet to be transferred through the SWIFT network. Thirty transactions amounting to $850M were blocked by the Federal Reserve Bank of New York after suspicions arose due to a spelling mistake made by the perpetrators of the crime. Nearly $101M were transferred from Bangladesh Bank’s account at the New York Fed to Philippines-based Rizal Commercial Banking Corp under fake names, which later disappeared into the casino industry; Only $20M out of $101M that was originally traced to Sri Lanka was successfully recovered from Perera’s Shalika Foundation bank account. Also, it is important to mention that the Philippines’ Anti-Money Laundering Council has accused seven bank officials of money-laundering in a complaint filed at the country’s Justice Department. Good to note that there was no definite published evidence that these breaches caused by insiders.
“ The malware was customized for Bangladesh Bank’s systems, Alam said, adding someone must have provided the hackers with technical details about the central bank’s computer network.” – Bangladesh police deputy inspector general, Mohammad Shah Alam
“We’re pretty sure it was the work of Lazarus group.” and “We don’t do attribution, we publish only the facts.” -Vitaly Kamluk researcher at the Kaspersky Lab
- Former sysadmin at UBS, Roger Duronio, worked at UBS for two years and was paid a salary of $125,000 by the bank and was expecting a bonus of $50,000. When he only got $32,000 Duronio resigned and decided to take revenge on the bank. On March 4 at 9:30 am at the exact moment trading begins the “logic bomb” detonated. The planted logic bomb began deleting files (reportedly “rm -rf /”) on the company’s network and to prevent backed up data from running. Duronio also accused of an attempt to profit from the attack by buying more than $21,000 in 318 “put options” contracts for UBS stock, a “put option” is a type of security that increases in value when a stock price drops. Basically, Duronio was betting the stock’s price would go down after his “logic bomb” went off. Duronio’s attempt failed as the UBS stock didn’t fall as expected because the information about his attack wasn’t disclosed in public. In the days following the logic bomb’s activation; 2,000 servers required restoral from tape. More than 200 IBM technicians were required to recover the systems while every branch’s ability to place brokerage orders was impaired or unavailable. At least 8,000 UBS brokers were unable to trade for a day or more, and 9,000 other employees could not log on to their desktops.
“Nothing more than 50 to 70 lines of malicious code took down about 2,000 servers, leaving 8,000 brokers across the country unable to work. IT teams spent sleepless nights on conference calls with IBM and scrambled to reset servers, trying to undo damage that still, four years later, hasn’t been completely repaired.” – Sharon Gaudin
Trial testimony revealed that the day the Duronio quit his job from UBS he walked out of their offices and straight to his broker’s office to bet against UBS. Duronio’s broker, Gerry Speziale, testified that an angry Duronio came to his office and said words to the effect, “God knows what I can do to get even.”. In December 2006, Roger Duronio was sentenced to eight years in prison and more than $3 million in restitution to UBS. To be fair Duronio’s family, you might be interested read Duronio’s daughter comments on the trail.
- Former UBS trader Kweku Adoboli was convicted and sentenced to seven years in jail for losing the bank more than $2 billion. Beginning in 2008, Adoboli started using the bank’s money for unauthorized trades. Adoboli entered false information into UBS’s computers to hide the risky trades he was making. He exceeded the bank’s per-employee daily trading limit of $100M and failed to hedge his trades against risk. UBS launched an internal investigation into Adoboli’s trades. On 14 September 2011, Adoboli wrote an e-mail to his manager admitting to booking false trades. His trades cost the bank $2B and wiped off $4.5B from its share price. The trading losses he incurred while trading for his bank were the largest unauthorized trading losses in British history.
“There is a strong streak of the gambler in you. You were arrogant to think the bank’s rules for traders did not apply to you.” – Mr Justice Brian Keith
“I take responsibility for my actions and the shitstorm that will now ensue. I am deeply sorry to have left this mess for everyone and to have put my bank and my colleagues at risk.” – Adoboli wrote an e-mail to his manager admitting to booking false trades
Punjab National Bank in India parted with almost $43M after Gokulnath Shetty, a bank employee, used unauthorized access to a susceptible password in the SWIFT interbank transaction system. The fraudulent act was done to release funds in a highly complex transactional chain schemed up by Nirav Modi. It was reported that the bank officials issued a series of fraudulent “Letters of Undertaking” and sent them to overseas banks, then to a group of Indian jewelry companies.
A Letter Of Undertaking, or LOU, is a document issued by a bank to a person or a firm. This LOU is generally used for international transactions and is issued by keeping in mind the credit history of the party concerned. The party can then avail Buyer’s Credit against this LOU from a foreign bank.
In February 2018, Suntrust Bank became aware of an attempted data breach by a now-former employee that downloaded client information which triggered an internal investigation that led to its discovery. It was reported that the compromised 1.5M client information data included clients’ names, addresses, phone numbers, and banking balances; However, the stolen data did not include information, such as social security numbers, account numbers, PINs, and passwords. To combat the increasing concern of identity theft and fraud, Suntrust offered its clients services like credit monitoring, dark web monitoring, identity “restoration assistance”, and $1M identity theft insurance. In addition, the bank heightened its existing security protocols, like ongoing monitoring of accounts, FICO score program, alerts, tools, and zero-liability fraud protection.
Later, Morgan & Morgan has filed a proposed class-action lawsuit in which they seek damages for the theft of the plaintiffs’ personal and financial information, as well as imminent and impending injury as a result of identity theft and potential fraud, improper disclosure of personally identifiable information, inadequate notification of the data breach, and loss of privacy.
“The lawsuit, which we filed on behalf of our clients and the 1.5 million consumers affected by the data breach, seeks to hold SunTrust accountable from its acknowledged failure to keep safe the information entrusted to it” – Morgan & Morgan’ lawyer John Yanchunis
- A former Citigroup VP Gary Foster was sentenced to 97 months in prison for embezzling more than $22M from the bank. Foster admitted that he transferred funds from various Citigroup to Citigroup’s cash account and then to his private account at JPMorgan Chase. It was reported that Foster was able to evade detection for years by making false accounting entries that made it seem like the wire transfers were in support of existing Citigroup contracts when they were actually being transferred to his account, according to the complaint. The fraud was uncovered during an internal audit of Citigroup’s treasury department.
“I directed funds to be wired into my personal account at JPMorgan.” – Gary Foster
- In December 2013, A former Citi employee Lennon Ray Brown, as reported after a meeting with his supervisor about his work performance, Brown transmitted a code and command to 10 core Citibank Global Control Center routers, erasing the running configuration files in nine of the routers, resulting in a loss of connectivity to approximately 90% of all bank networks across North America. Minutes later, Brown scanned his employee identification badge and exited the campus. Later, Brown sentenced to 21 months in prison and ordered to pay more than $77,000 in restitution.
“They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team. Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.” – Lennon Ray Brown
In July 2007, James Kevin Real, a computer programmer for Compass Bank, was indicted on six counts of financial institution fraud, four counts of access device fraud, two counts of aggravated identity theft. Real had stolen a USB drive with 1M customer records to commit debit-card fraud. Compass Bank claimed that the customer records contained limited information. Together with Laray Byrd who bought a magnetic stripe encoder and software to encode blank cards the information onto counterfeit cards. With 250 counterfeit debit cards, and his accomplice was able to withdraw money from ATMs of 45 different bank accounts typically in amounts not exceeding $500. It was reported also that Real would disguise when making the ATM withdrawals.
In September 1995, fearing the damage of losses may cause the bank if inadvertently discovered, Toshihide Iguchi, an executive in Daiwa’s New York branch, confessed to the president of Daiwa Bank that he had lost $1.1 billion of the bank’s money over a decade trading U.S. Treasury bonds and had used phony bookkeeping to hide the losses. Upon receiving this confession letter, Daiwa, as reported, instructed Iguchi to continue concealing the loss and assist other bank officers in verifying the loss. Two weeks later, Daiwa reported the loss to its regulator, the MOF, which instructed Daiwa not to disclose it for two more months as they were scheduled to announce two major bank failures. Later, when Iguchi asked why he didn’t own up to his mistakes early on, Iguchi said it’s a trader’s mentality to keep trading rather than admit defeat.
“At that point you are so desperate, you can’t think about it. As long as there is a chance to recover, you make an effort to recover the loss for the bank that’s why there’s not a sense of criminality,” – Toshihide Iguchi Interview at CNBC
It was reported that Bank of America lost at least $10M as a result of an insider threat that sold “about 300” customer data to cyber-criminals.
Note: This is the only information I could find during my research on the Bank of America case, if you have additional public information, I would welcome you sharing it.
“Involved, a now-former associate, who provided customer information to people outside the bank, who then used the information to commit fraud against our customers,” – Bank of America spokeswoman, Colleen Haggerty, said in an email message.
Conclusion – To Be Continued