An outside law firm working for Wells Fargo mistakenly provided a former employee suing the bank with 1.4 GB of data on at least 50,000 Wells Fargo customers, including names, Social Security numbers and financial details of high net worth clients, as well as Wells Fargo financial advisers' compensation information and client lists, The New York Times reports.
"There are thousands of documents in here that the public should never see," Gary Sinderbrand, the former employee, told the Times.
The data was provided to Sinderbrand's lawyer with no confidentiality agreement or protective order. The Times notes that the disclosure violates several state and federal consumer protection laws regarding the release of personally identifiable information to third parties.
When notified of the issue by email, the lawyer who mistakenly forwarded the information responded, "Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
In a statement provided to The Globe and Mail, Wells Fargo said, "We are currently taking legal action to ensure the additional data is not disseminated, and we are requesting its rapid return. We continue to thoroughly investigate this matter and will take proper steps, including corrective action, based on the outcome of our investigation."
Ensuring Data Protection
"It's no longer good enough to ensure end-to-end protection within the walls of your enterprise -- that protection has to extend to the networks of any third party with access to your network," Urbanovich said. "In the case of Wells Fargo, that translates to thousands of third parties, any one of whom could cause real financial and reputational damage if compromised."
"It's critical that organizations hold the third parties they interact with accountable to the same standards of data protection they adhere to internally, and that starts with measuring and monitoring third-party risk exposure," Urbanovich added.
A recent Tripwire survey of 350 security professionals at Infosecurity Europe 2017 found that when asked whose neck is most on the line if a company has a data breach, 40 percent said the CEO is most responsible, followed by the CISO (21 percent).
Still, Tripwire vice president Tim Erlin said in a statement that even the most diligent organizations are susceptible to attack and human error. "Businesses need to implement and maintain a core set of foundational security controls, which is a proven strategy for reducing the risk of cyber attacks," he said. "The focus should be on a balance of tools and outcomes and especially a balance between prevention and detection."
Managing End Users
There is an increasing awareness of the need to manage those risks. In a recent survey [PDF] of 580 IT security pros at Black Hat USA 2017, when asked about the weakest link in today's enterprises defenses, 38 percent of IT security pros pointed to users who violate security policy, up significant from 28 percent a year ago.
Similarly a recent Concensus survey of 304 IT professionals in the U.K., sponsored by HANDD, found that while 43 percent of respondents think employees are an organization's greatest asset, 21 percent believe employee behavior poses a big challenge to data security.
Over a third of respondents said ensuring data is stored securely is their biggest challenge and most likely to keep them awake at night.
"Employees are probably your biggest asset, yet they are also your weakest link, and so raising user awareness and improving security consciousness are hugely important for companies that want to drive a culture of security throughout their organization," HANDD CTO Danny Maher said in a statement.