Two men were arrested last week for their part in the theft and subsequent sale of customer data taken from Countrywide Home Loan. One of the two men, Rene L. Rebollo Jr., an ex-Countrywide employee, took advantage of a policy breakdown on the company's network, copied data to a flash drive, and then later sold it, the FBI reports.
Insider threats lead to data loss at Countrywide. (IMG:J.Anderson)
Rene L. Rebollo Jr. (36), of Pasadena, was a former employee of Countrywide Home Loan. He was arrested without incident at his residence by special agents with the FBI.
The FBI alleges that Rebollo had access to Countrywide computer databases, many of which contained sensitive information of Countrywide clients. Countrywide terminated Rebollo’s employment in July 2008, but not before he gave out account information belonging to Countrywide customers to third parties over the course of two years. The transactions and sales of this information netted him about $50,000 to $70,000 USD.
Rebollo was requested by other individuals to obtain specific types of data from Countrywide, and he was able to do so because of his access to many of Countrywide’s databases, which held information about clients from around the United States. Rebollo was charged with exceeding authorized access to the computer of a financial institution, and is facing a maximum penalty of five years in federal prison.
Also arrested was Wahid Siddiqi (25). Siddiqi was recorded by a confidential witness working for the FBI when he placed an order for personal profiles at a negotiated price. Siddiqi was charged with fraud and related activity in connection with access devices, he is looking at a maximum penalty of 15 years in prison.
The Tech Herald spoke with Ellen Libenson, Vice President of Product Management at Symark, and asked a few questions regarding insider threats, something the company knows very well as its Power Series deals with this type of threat.
The Tech Herald (TTH): According to the FBI, Rebollo had been downloading and selling customer names for over two years. Bank of America, which owns Countrywide, is not talking about its internal security measures, however, it is clear than an IT audit missed something. What is your opinion on the case, and insider threats in general? Why are insider threats such a big problem recently?
Ellen Libenson (EL): The growth of insider threat mirrors the growth of Internet adoption and Web-based technologies. Insider threat has always been an issue, but the number of incidents is accelerating due primarily to identity theft. Also, the bulk of the incidents have moved from the sabotage category to the lucrative field of Identity and data theft. ID theft is a huge, lucrative business, often fueled by organized crime units based outside of the US.
It’s difficult to prosecute, and it’s viewed as a white collar crime or lesser “faceless” crime by many since often the banks, credit card companies, or big business bears the burden of the costs. One can also often sell this information somewhat anonymously through chat rooms. For years, many companies were reluctant to report data thefts and the crime went unreported and thus unprosecuted for a long time, which encouraged the perpetrators. That’s why there are now laws mandating public disclosure and notification. The increased disclosure brought on by legislature can give the impression that this type of crime is accelerating and it is. Organizations that have lax security are targeted more often than others.
TTH: Rebollo also told the FBI, according to its report, that he had access to various databases on the Countrywide network. He was a senior financial analyst, so you can assume that this level of access is needed. What security measures would have helped out to prevent this misuse of access?
EL: One could move away from a trust based system to a process-based system. If the company had a product that rotates the access password on hosts and databases and changes it after each user’s access that would help. Rebollo would have to request/check out a password each time and be required to supply a business reason as to why he was accessing that database. (This is done via email and takes just a short minute.)
Each request would be logged and thus there would be an indelible record of the access event. In some cases, the company could require a manager to approve a user’s request to access a system and there would be a record of that as well. The fact that there is now an accountability process in place may serve as enough of a deterrent to employees because logs could prove their culpability. Logs would show a lot of access activity and flag this user. Also, many systems can be configured to control what a person can do with their password once they get it, i.e., viewing data only, not exporting, and downloading.
TTH: What are five things you would suggest a company do to prevent itself from being in the same spot as Countrywide?
EL: Trust but verify - grant people the access required to do their jobs and no more than that and monitor that access. Always enforce separation of duties (SOD) and the doctrine of least privilege. Limit the rights of privileged accounts and limit user access to privileged accounts - privileged accounts can bypass most IT controls to access or destroy sensitive data. Control what the privileged accounts themselves can do. Always be Auditing - enforce accountability, log as much access activity as possible, especially keystrokes - establish an indelible audit trail, define and flag any anomalies, and send an alert to a manager.
Comment on this Story