I was catching up on some reading and happened across the latest breach story that happened at Countrywide. I read the story at the
boston globe.
It wasn't an outsider but an Insider who harvested the data and sold it. Why in this day and age companies still think it's cheaper to have a breach than prevent one. I will have to ping Larry at the
Ponemon Institute to see what the cost per record is up to. I'm sure David Rowe over at
Netvision is shaking his head as well. We have had several cups of coffee talking about the Insider threat for a couple of years.
The story...
More than 45,000 Massachusetts consumers may have had personal information stolen in the security breach at Countrywide Financial Corp., according to the company.
Countrywide alleged that a former employee sold personal information of 2.2 million customers, including Social Security numbers and mortgage loan numbers, to a third party. Two arrests have been made.
The number of affected consumers in Massachusetts is far greater than initially thought. On Aug. 1, in a letter to Daniel Crane, director of the state Office of Consumer Affairs and Business Regulation, Countrywide said it mailed notification letters to "three affected Massachusetts consumers."
On Sept. 10, the California mortgage lender sent a second letter, saying that "as a result of the ongoing investigation," Countrywide had identified 45,283 at-risk consumers in Massachusetts. State law requires agencies that store consumers' personal information to issue notifications of security breaches "as soon as practicable and without unreasonable delay."
According to FBI reports, Countrywide fired the accused employee, Rene Rebollo Jr., in July. Rebollo allegedly confessed to downloading 20,000 data files per week for two years, and said he earned as much as $70,000 from the sale of the data. Wahid Siddiqi is being charged for allegedly purchasing the information.
Both men were arrested in August, a month before the breach was made public. Both pleaded not guilty.
In its letters to state officials, Countrywide said on June 11 the US Attorney's Office requested it delay notifying consumers. "It's an ongoing investigation with the FBI and we are being very, very careful as not to jeopardize it," Countrywide spokeswoman Susan Martin said.
Massachusetts Attorney General Martha Coakley declined to say whether the state was conducting its own investigation. "This is different than any other breaches in that there was no negligence on the part of the company," Coakley said yesterday. "This was intentional, and the information was sold to outside parties."
Countrywide is offering two years of credit monitoring to affected customers. But Wendy Thomas of Peabody questions if Countrywide notified at-risk customers in a timely fashion. Her husband learned last week his personal data could have been stolen and sold. "I felt like we were left out here in the wind."