Lessons learned: The Countrywide Financial breach
The data breach at Countrywide Financial Corp. seems like something out of a TV crime drama: Two men regularly copied customer data and secretly sold it as leads to other mortgage brokers. The tale suggests that data theft is, more often than not, an inside job. Robert Mullins reviews internal threats, and the authorization and access control practices that can stop them.
The FBI informant meets in a bar with two guys who have information to sell. One goes by the name of "Nico," the affidavit reads, while the other is introduced as "Rebollo." Rebollo is Rene Rebollo, who is now facing trial in federal court in Los Angeles for stealing mortgage customer data from Countrywide, while Nico, Wahid Siddiqi, is facing trial for fraud.
According to an FBI agent, Rebollo, on Sunday nights, went to the Countrywide Home Loan office at which he worked in Pasadena, California. Over a period of two years, when no one else was around, he'd regularly insert a flash drive into a computer and copy thousands of customer records. Siddiqi allegedly helped fence the data, selling it as sales leads to other mortgage brokers. In one deal witnessed by an FBI agent, Siddiqi showed another informant data on a compact disk running on a laptop computer.
"It's the bombest data," Siddiqi boasted, meaning they were promising leads.
Data breaches: Inside jobs or outside attacks?
The Countrywide case illustrates that no matter how much financial institutions invest in security, some breaches still occur. Industry analysts say it's because enterprises either use outdated technology or leave gaping holes in their security that can be easily exploited. Most troubling is the fact that, more often than not, data breaches are an inside job.
"There is a rampant access control and authorization control problem in the enterprise," including financial institutions, says Perry Carpenter, a research director at Connecticut-based Gartner Research Inc., specializing in security and privacy issues.
A study released Oct. 13 by the software firm Compuware Corp. and conducted by the Ponemon Institute stated that 75% of data breaches reported by enterprises were committed by employees; external hackers were the culprits in only 1% of cases.
"You have to extend trust to the people that are working for you, but the very fact that [employers] have to extend trust opens them up to vulnerability," Carpenter said.
Countrywide was conscientious enough to have a safety feature on its computers that prevented people from downloading files onto external devices such as flash drives. But, according to the FBI affidavit, Rebollo used the one computer in the Pasadena office that did not have that feature.
Countrywide, through a spokeswoman, declined to comment for this article. The company, which has since been acquired by Bank of America Corp., has offered two years of a free credit monitoring service to Countrywide customers whose records may have been compromised.
The security scandal comes amid other bad news for Countrywide, which has been accused of using unfair business practices to sell subprime loans to borrowers. Connecticut Attorney General Richard Blumenthal, who is already suing Countrywide over its loan practices, criticized it for allowing this breach.
"Countrywide consumers justifiably want an explanation for a long-term security failure that enabled an employee -- undetected and uncontrolled -- to download sensitive information over an extended period of time," Blumenthal stated in a Sept. 10 news release.
A Countrywide spokesman, quoted in a Los Angeles Times story that same day, disputed reports that as many as two million customer accounts were exposed, but added that Countrywide believes there have been no reports of identity theft or other fraud affecting its customers as a result of the breach.
Caught in the act
FBI documents describe a scheme in which Rebollo downloaded as many as 20,000 customer account records, including name, address, loan amounts and Social Security numbers, nearly each week between 2006 and 2008. He sold each batch of data, either on a thumb drive, compact disk or as an email attachment for $500. "Rebollo estimated that he made $50,000 to $70,000 over the course of two years by selling the Countrywide Home Loan data," an FBI affidavit states.
Rebollo initially cooperated with the FBI, meeting with agents July 15, 2008 and allowing them to take his desktop computer and a thumb drive from his Pasadena apartment as evidence. Two days later, though, Rebollo hired an attorney who advised him to revoke his cooperation, requiring the FBI to get a warrant. But despite knowing the FBI was on to him, Rebollo tried to sell more data. An FBI affidavit says Rebollo was on the phone July 23rd with an informant posing as a buyer and was negotiating yet another sale.
Rebollo is charged with exceeding authorized access to the computer of a financial institution, a federal crime that carries a maximum five-year prison term. His lawyer, Michael Severo, has not returned a call for comment. Saddiqi is charged with fraud related to his role in the scheme and is facing a maximum 15-year sentence. His attorney, Jeffrey Lipow, has also not returned a call for comment.
Lessons learned from the Countrywide breach
Although not privy to all the facts of the Countrywide breach, Gartner's Carpenter says the case illustrates the need for financial services firms and all other enterprises to have defense in depth protecting their networks and sensitive company data.
In a July 25 report to Gartner clients, Carpenter writes that enterprises need more than just technology to protect data; they also need management policies and a corporate culture that stresses integrity.
Besides password protection, enterprises should deploy network monitoring software that looks for suspicious data traffic, such as an employee in the office downloading large data files on a Sunday night. But that alone may not be enough for salaried employees who sometimes work odd hours. "It may not set off an alarm bell that they are there on a Sunday," he says.
Another vulnerability that may be overlooked involves software applications that access customer databases for various purposes, Carpenter added. An application may scour records to identify customers with the best FICO scores to market a credit card or another financial product to them. Usually, when an employee leaves a company, their password is revoked, but those applications also use passwords that could fall into the wrong hands.
"Over time, people learn about these accounts and it's more likely that if you steal that user ID and password, it's still going to be in effect a year after you leave," Carpenter says.
But more than technology, companies also need to keep employees honest, he concludes. Companies need to schedule regular security training to maintain employee awareness of the need to protect data for the benefit of customers, shareholders and the company. Even something as simple as posting signs about security procedures are another reminder. Steps not related to technology, such as job rotation, segregation of work duties and mandatory vacations, are also part of a layered approach to security.
One last bit of advice sounds counterintuitive: Carpenter advises against "password expiration," in which employees are required to create new passwords for network access at regular intervals. If passwords change frequently, some employees may have trouble remembering them, prompting some to write them down, which increases, rather than reduces, vulnerability.
About the author:
Robert Mullins is a reporter covering the technology industry from Silicon Valley. He writes about servers, storage, security, open source software and other topics.