The huge security breach recently uncovered at a clutch of US banks is now believed to have compromised the records of 676,000 customers, making it the largest ever recorded.
Since details of the story was first emerged last week, the number of affected customers has been growing to unprecedented levels, as has the number of arrests of alleged crime gang members. The latter now stands at nine people, including seven former employees of the New Jersey-based banks involved: Wachovia, Bank of America, Commerce Bancorp, and PNC Bank NA. Unconfirmed U.S. reports suggest two further arrests are imminent.
Elements of the case, including its disturbing ease, will concern banking authorities. Police investigators allege that an unlicensed front company called DRL Associates Inc. was set up by one of the accused, Orazio Lembo, who is also believed to be the ringleader. He was then able to hire mid and upper-level bank employees to siphon off information from customer records, including names, addresses, account numbers, and bank balances.
One of those accused of helping him is a former manager of the New Jersey Department of Labor, so this is no simple blue-collar subversion.
Investigators noted that employees in on the scam would normally have accessed between 40 and 50 customer record searches a day, but this was running at up to 10 times this amount during the period of theft.
The information was eventually sold to collection agencies and law firms, which suggests that the business planned to exploit the personal information in sophisticated but unspecified ways.
It is not clear whether any of the victims suffered direct financial losses as a result of the theft of personal information, but the police plan to question the companies that purchased the information stolen by DRL, to see how it was used or abused.
The case is now being described by Federal authorities as the largest such fraud ever uncovered in the US, which makes it likely to be biggest ever recorded anywhere. It is unlikely to be the last time the technique of using employees to execute large-scale data theft is heard of, however.
Banks will be worried at the apparent ease with which a criminal was able to hire senior insiders to carry out information theft, as well as at the scale of a compromise that ran across several different banks.