Thursday, 27 November 2003
Wells Fargo data theft goes into "crooks-are-dumb file"
Yesterday, local authorities and the U.S. Secret Service announced an arrest in the case of the Wells Fargo's stolen customer data. (San Francisco Chronicle's coverage: "Arrest in Wells Fargo data theft") A few weeks ago, Edward Krastof of Concord, California allegedly stole a laptop computer from the office of a consultant hired by Wells Fargo. The hard drive "contained a treasure trove of customer data," including names, addresses, bank account numbers, and social security numbers. Krastof claims that he had no idea that the information was there — he claims to have stolen the computer to use it himself. Do we believe him? Police also found stole driver licenses in Krastof's house. "He said he manufactures forged I.D. cards and checks," said Sgt. Stephen White of the Concord Police Department. "He's kind of a low-level I.D.- theft guy." The Chronicle article also quotes Benjamin Jun, vice president of Cryptography Research: "it looked like the case of the stolen Wells Fargo data came straight from 'the crooks-are-dumb file.'"
Richard Thompson, a Wells Fargo customer who was among those whose information was stolen, talked to reporters last week. "It's outrageous," he said. "As far as I'm concerned, this is as big a breach as they could have. It's like my money being stolen." Wells Fargo's solution? The bank offered to pay $90 for each customer to join PrivacyGuard, a credit-monitoring service, for a one year. Thompson's response? "My Social Security number is now out. This will affect me for the rest of my life."
Wells Fargo tried hard to keep this story from the public eye. When a financial institution's sensitive customer data is compromised, California law requires only that it notify affected customers "in a timely manner." Wells Fargo sent a letter to affected customers two weeks after the theft. The press reported the story only after irate and fearful customers brought it to reporters' attention. The excuse? The bank wanted to avoid tipping off the thief to what he had taken, in the event that he did not already know. After all, the computer was taken from a small, nondescript consultant's office behind a sports bar — not from a bank branch. For now, Krastof's self-serving "I didn't know" defense gives Wells Fargo plausible deniability.
Even before we have all the facts (keep reading over the next few weeks), this case demonstrates one way in which privacy laws are woefully inadequate. Banks are highly regulated, but there is little or no supervision of banking operations that are outsourced. American businesses share an ostrich-like consensus that clerical or consulting work is safe so long as it stays within the country. Barely a month ago, offshore outsourcing made a brief headline splash when a medical transcriptionist in Pakistan held hostage some patient files from the UCSF Medical Center. She threatened to post the files on the Internet unless she was paid hundreds of dollars.
The Wells Fargo episode proves that outsourcing must be treated with greater care wherever it is done. I am by no means advocating an end to outsourcing. Forcing businesses to do all their work in-house would be terribly inefficient. However, customer data should almost never be let out the door, except where data processing or warehousing is being done. Wells Fargo has thus far refused to say what this particular consultant, Peter Gascoyne, was doing, beyond stating that he is a "'data analyst' [who] has a 'special expertise' beyond what the bank was capable of doing in-house" (quoting from the Chronicle). With a proper database infrastructure in place, data analysis does not require the analyst to keep the data locally.
Ideally, consultants should do their work at the bank or dial into the bank's intranet or virtual private network. At the very least, banks should require their strong privacy protections in their consulting contracts with severe consequences for preventable breaches. How was the breach accomplished in this case? Someone left the door to Gascoyne's office suite unlocked.