Capital One recently began notifying an undisclosed number of customers that their personal information, including name, account numbers and Social Security number, may have been inappropriately accessed by an employee (h/t DataBreaches.net).
“We know how unsettling this news can be and want you to know that we’ve notified law enforcement and this person is no longer with the company,” company vice president of operations Douglas Woodward wrote in the notification letter [PDF].
All those affected are being offered two free years of access to identity protection services from TransUnion. Customers with questions are advised to contact (888) 372-8305.
A recent SpectorSoft survey found that 59 percent of IT professionals don’t have the ability to detect insider threats, and 35 percent have already experienced an insider attack.
“While the percentage of insider threats — approximately 30 percent of all cyber attacks — has stayed broadly consistent since 2004, the total number of such attacks has increased dramatically, resulting in $2.9 trillion in employee fraud losses globally per year,” the SpectorSoft report [PDF] noted.
Those attacks cause significant headaches for companies across a variety of industries on a regular basis.
On October 21, 2014, Alexander Alvarez, 32, was charged with two counts of bank fraud for allegedly stealing more than $100,000 from customers of the bank where he worked as a financial service representative. Alvarez allegedly used his position to identify accounts that had little activity, then created fraudulent transfer slips before withdrawing the funds from the bank in cash or transferring them to his personal account.
Alvarez allegedly stole $100,806.85 from one customer, and $11,137.01 from another customer. If convicted, he faces up to 30 years in prison and a fine of up to $1,000,000.
And on October 24, 2014, La Toya Yvette Tillman, 33, was sentenced to three years in prison to be followed by three years of supervised release for using her position as a medical assistant at Gastroenterology Consultants in Hollywood, Florida, to steal patients’ names, birthdates and Social Security numbers from the Memorial Healthcare System database.
Tillman, who pled guilty in August 2014 to one count of possessing 15 or more unauthorized access devices with the intent to defraud and one count of aggravated identity theft, sold approximately 2,000 people’s personal information for $1.00 each to a man who told her he used the identities to file fraudulent tax returns. Authorities also found a list of 114 people’s personal information in Tillman’s car.
A recent eSecurity Planet article offered several tips on how to defend against insider threats.