Bank insiders are leaking data on client accounts as scams surge
By Tom Schoenberg | Bloomberg
The new staffer was supposed to help Toronto-Dominion Bank spot money laundering from an outpost in New York.
She instead used her access to bank data to distribute customer details to a criminal network on Telegram, according to prosecutors in Manhattan. Local detectives who searched her phone allegedly found images of 255 checks belonging to customers, along with other personal information on almost 70 others.
It’s part of a little-noticed pattern popping up across US banking — from towers in Manhattan, to hubs in Florida and even suburban Louisiana.
As sophisticated scams targeting the life savings of Americans create headlines across the US, the industry’s lowest-paid employees keep getting caught selling sensitive customer information out the back door — emerging as a critical area of weakness in banks’ risk controls.
That’s an inconvenient trend as firms steadfastly argue to policymakers and the public that customers bear primary responsibility for ensuring they don’t get conned out of their savings. While many scams seemingly target people at random, some victims have said con artists who tricked them knew a lot about their finances at the outset.
“The more employees there are inside a company with access to sensitive customer information, the higher the risk that access is going to be abused,” said R.J. Cross, a privacy advocate at US Public Interest Research Group. “Companies need to have technical measures in place to ensure employees and contractors can’t run off with people’s information or access data that isn’t necessary for their job duties.”
There have been warnings for years.
Almost a decade ago, New York’s then-attorney general, Eric Schneiderman, publicly urged major lenders including JPMorgan Chase & Co., Bank of America Corp. and Citigroup Inc. to strengthen internal defenses after an investigation found an identity-theft ring had enlisted tellers from the industry. That built on a broader study by his office showing leaks by corporate insiders were already on the rise, with data “often obtained exclusively for fraudulent purposes.”
Such concerns now carry new urgency. US retirees sitting atop a record stockpile of wealth are facing an onslaught of elder fraud, with estimated annual losses soaring past $28 billion. For con artists, tips on who has a lot of money can be invaluable.
Meanwhile, bank lobbyists are fending off legislative attempts to force firms to do more to protect customers or share their losses.
The recent spate of busts shows banks haven’t yet figured out how to stop employees from trying to monetize their access to highly valuable and sensitive customer information. Some connect with local conspirators on social media for schemes as mundane as faking checks. Banks typically make those victims whole. But more sophisticated cons have proliferated in recent years, often leaving customers on the hook for their losses.
A few prosecutions, like the one against Wade Helms of Navy Federal Credit Union, illustrate how far data can flow.
Authorities in Escambia County, Florida, accused Helms of jotting personal information about customers in a notebook, creating a handle for himself on the dark web, and making it known he was seeking a buyer for information on clients at Navy Federal, the largest US credit union. In one chatroom, Helms found someone who claimed to be a broker for stolen data. The two allegedly spoke by phone, then continued the conversation on a personal computer Helms kept next to his office desk.
The broker “wanted high-dollar account information because that would sell easier on the dark web,” according an affidavit for an arrest warrant for Helms. The broker created Telegram pages called “Navy Wave,” where screenshots of customer accounts were posted. Some were provided by Helms, who had taken screenshots of customer banking statements and pictures of their identification, according to the warrant.
“Navy Wave” had multiple handles that began with @ScammingServices with more than 2,700 subscribers. By the time the credit union’s internal security discovered the breach, Helms allegedly had exposed as many as 50 accounts. At least five postings on the “Navy Wave” pages included Navy Federal accounts that Helms provided.
In a deal with prosecutors this year, Helms pleaded no contest to 11 charges, including illegal use of personal identification, and was sentenced to 10 years’ probation. He was also ordered to pay about $9,100 in restitution to Navy Federal.
A lawyer for Helms didn’t reply to messages seeking comment.
“Navy Federal takes all necessary precautions to protect our members’ personal and financial information,” a spokesperson for the credit union said in a statement. “We strengthen our processes on a constant basis to ensure member information is kept confidential and continuously monitor member accounts for unusual activity.” The lender said it worked with law enforcement to help secure a conviction.
Incentivizing firms
It’s challenging for companies to adjust to trends in crime, especially as firms are scaling up workforces with thousands of staff, including high-turnover jobs, said Jonathan Lopez, a former federal prosecutor who specializes in bank crime cases.
“The issue may not be one of a faulty program in many instances, but the sheer numbers of people involved,” said Lopez, a partner at Jacobson Lopez in Washington. “While zero fraud rates may be impossible, institutions should be incentivized to continue to strive to get their fraud rates and insider fraud rates as close to zero as possible.”
TD Bank’s recent $3.1 billion settlement with US authorities for failing to prevent money laundering revealed that executives’ focus on costs had contributed to weak internal systems. A result was a rash of crime that mostly went undetected until federal investigators tracking fentanyl sales on the East Coast took a close look at the bank.
The probe found several branch-level employees accepted bribes of cash and gift cards to open accounts and issue debit cards that were then used to move money to Colombia through ATMs.
The increased scrutiny also revealed that a New York-based branch manager stole more than $200,000 from an elderly client, using account information and a fraudulent email address to siphon funds even after the retiree died. The banker, later fired by TD, admitted to the crime and was sentenced to more than a year in prison. His lawyer said he stole the money to pay for his son’s college tuition.
Then in September, authorities in New York swooped in on Daria Sewell, a new employee in TD’s anti-money laundering operations, accusing her of storing images of customers’ checks on her phone. The breach exposed accounts to a network of New York-area fraudsters who were charged in a $500,000 check-fraud scheme, according to the Manhattan district attorney’s office.
Investigators said Sewell distributed information on Telegram with instructions on how to open bank accounts and move money from the TD accounts into them. Recipients allegedly then split profits with her.
Sewell has pleaded not guilty to unlawfully possessing personal information. A lawyer representing her didn’t reply to messages seeking comment.
“In both instances the employees were terminated and we cooperated fully with authorities in their investigations,” a TD spokesperson said in an email. “As we have consistently said, these individuals aren’t representative of our 30,000 colleagues in the US who serve our customers with integrity.”
Fraud ring
Outsourcing can create more cracks in banks’ defenses.
In Louisiana, federal prosecutors traced a check-fraud ring to employees of international call center Teleperformance, where three employees in Shreveport were accused of selling the account information of elderly USAA customers.
The scheme went on for almost two years with the three — Arazhia Gully, Maya Green and Zarrajah Watkins — joining and offering information on customers with high account balances to a network of more than a dozen others, according to federal prosecutors. Some recipients used counterfeit checks to make withdrawals. A portion of the proceeds was later deposited into the personal account of a Teleperformance employee and withdrawn at a nearby casino.
The trading of that data was similar to ordering from a menu at a restaurant, with outsiders choosing which accounts to exploit.
In an example provided by prosecutors, Gully sent a conspirator a text message containing the ages and account balances of eight USAA customers. The person responded with their pick: a 79-year-old with $442,000. Gully then sent a picture of a computer screen showing detailed account information. Another victim was a 95-year-old with $174,000.
“We fully cooperated with authorities to aid in the investigation and terminated the employees as soon as we were made aware of the incidents,” Teleperformance said in an emailed statement. “We work closely with our clients to ensure we minimize our employees’ access to customer account information to include only the access needed to deliver the services and minimize the risk of fraud to the lowest possible level.”
A spokesperson for USAA declined to comment.
The three Teleperformance employees pleaded guilty to bank fraud conspiracy and are awaiting sentencing. Lawyers for Gully and Watkins declined to comment.
Green’s attorney, Joey Greenwald, said his client was low-level in the network and paid just a few hundred dollars for taking screenshots of accounts.
Greenwald said he was surprised his client was able to see so much information, noting she had a 10th-grade education and was working from home: “They hooked her up with a computer and a phone and she had all this access to customer accounts.” Greenwald said he’s not aware Green received any training on how to handle the data.
“To trust her with this kind of information was pretty appalling,” he said.
–With assistance from Paige Smith.