Bank security breach may be biggest
More than 100,000 clients at BofA, Wachovia, others have account info sold by ex-employees.
May 23, 2005: 12:26 PM EDT
NEW YORK (CNN/Money) - Bank of America Corp. and Wachovia Corp. are among the major banks notifying more than 100,000 customers that their accounts and personal information could be at risk because their information was illegally sold by former bank employees.

The data-theft ring may have perpetrated the nation's largest ever banking security breach, a Hackensack, N.J., police statement quoted a Treasury Department representative as saying.

When the Hackensack police first announced the security breach on April 28, it estimated that more than 500,000 accounts were affected; but last week the department increased the total number of customer accounts that allegedly were breached to about 676,000.

"Sifting through the massive amount of computer information is an arduous task," Hackensack Detective Capt. Frank Lomia was quoted by Reuters as saying. "We believe there were at least 200,000 to 300,000 breaches, based on financial records we have seen on DRL's computers, and the number could be higher."

Of the at least four banks involved in the case, Bank of America, the nation's No. 2 bank, has notified 60,000 customers of the problem. Wachovia has notified 48,000 customers.

Customer account numbers and balances were allegedly sold to a man who then sold the information to collection agencies, the Hackensack police department said in a statement. Reuters reports that the information has not been found to have been used in any identity theft schemes.

Wachovia customers whose account information was stolen have received complimentary 1-year credit monitoring service and each account will also be monitored by the bank, a spokesman told CNN, adding that two former Wachovia employees have been charged in the case.

Charges filed

The case has led to criminal charges against nine people, including seven bank employees and alleged ring leader Orazio Lembo, who operated DRL Associates, a company that advertised as a skip-and-trace collection agency.

But DRL did not qualify as a collection or detective agency, the police said.

"Based on forensic examination of Lembo's computers, it was determined that he had employed upper level bank employees to access and identify individual accounts in their respective banks," the police statement said. "That information was then sold to his clients, which included more than 40 law firms and collection agencies."

The police are continuing their investigation into the alleged thefts, in a scheme that may have begun more than four years ago, the department said, and the Department of the Treasury and the Internal Revenue Service also are involved in the investigation.

The FBI in Newark told CNN it is not handling the case, but that the Secret Service may become involved.

In addition to confidential bank information, DRL also obtained employment information from the manager of the New Jersey Department of Labor in Jersey City, Hackensack police said.

Police estimate that Lembo made several million dollars over the past four years; and that his informants each made tens of thousands of dollars in that time.

The customers so far believed to be affected are in New Jersey, Florida, Georgia, North Carolina, South Carolina, Maryland and Pennsylvania, The Wall Street Journal reported Monday.

Other banks affected by the theft ring are Commerce Bancorp, based in Cherry Hill, N.J., and PNC Financial Services Group Inc., although the Journal said only 12 PNC customers have been notified of problems thus far.