Bank tellers warned as new data threat

Tellers frequently retrieved customer account numbers from bank databases, without authorisation or a legitimate business need, says the NY attorney general. Photo / Thinkstock

Beware of hackers. And tellers.

That's the message to banks from New York Attorney General Eric Schneiderman, who on Friday warned that tellers and other branch workers have a wealth of client data at their fingertips and managed in a few instances to swipe it. In a letter to nine lenders, he said investigators uncovered identity-theft schemes hatched by tellers at some of the biggest institutions. Hundreds of bank customers have lost millions of dollars, he said.

There are "common security weaknesses in the banking industry that allowed these schemes to go largely undetected," he wrote. They include inadequate employee audits and flawed call-centre data practices, he said.

Read also:
• Insider hacking a big threat for employers
• How NZ banks can fend off cyber fraud

Schneiderman's alert to JPMorgan Chase & Co, Bank of America, Citigroup and other lenders followed his multiyear probe "Operation Pen & Teller," which revealed teller identity-theft plots. He urged banks to improve internal controls and limit employee access to data.

The letter expands on a fear Schneiderman has voiced before. Wrongdoing by insiders is the third-leading cause of unauthorised exposure of customer records in New York, he said in a report last year. From 2006 to 2013, more than 1.2 million customer records were exposed in 511 insider-caused security breaches, he said.

Tellers "frequently retrieved customer account numbers and Social Security numbers from bank databases, without authorisation or a legitimate business need," Schneiderman wrote. Purloined data was used to create phony documents, which tellers then used to impersonate account holders and withdraw money, he added.

"While we are reviewing the letter, protecting our customers' information is of critical importance to us," Citigroup spokeswoman Elizabeth Fogarty said in an emailed statement on Monday.

Michael Fusco, a JPMorgan spokesman, and Anne Pace, a Bank of America spokeswoman, declined to comment on the letter.

Earlier this year, an ex-JPMorgan employee was accused of trying to sell data for several accounts, including one containing $150,000, while he worked at a branch. Fusco said customers didn't lose any funds and were provided with free credit monitoring.

- Bloomberg