Atlanta bank SunTrust recently announced that 1.5 million users have potentially been exposed to a criminal third party. Unlike most data exposures we’ve been hearing about, the source of SunTrust’s breach was not caused by cybercriminals, but rather a theft by an employee who gained access to sensitive client information without security clearance.
Sources say the data theft could include information such as names, addresses, phone numbers and bank account balances of SunTrust customers. Simultaneously, SunTrust announced it will partner with Experian to offer identity protection for all consumer clients at no cost on an ongoing basis.
Here’s what happened and how your organization can prevent falling victim to a similar scheme.
An Untrustworthy Employee
An ongoing investigation by SunTrust states that the data breach was caused by a former employee who accessed company contact lists, likely printed this information and gave it to a criminal third party. Luckily, SunTrust is able to confirm that the compromised contacts did not include Social Security numbers, account numbers, PIN, user IDs, passwords or driver’s license information. Additionally, they noted that no client will be held responsible for fraudulent activity or losses their accounts accrue due to the breach.
The company has reportedly been investigating the breach since February when they first noticed the employee attempting to inappropriately download client information, and only disclosed this information publicly after learning the employee may have attempted to share it outside of the bank. Information on how the former employee was able to access the bank’s secure information has not been released, but the glaring security dark spot calls to attention the various attack methods cybercriminals employ to get the information they want.
The Human Face of Cyber Threats
This story serves to bring home an important message; often an organization’s biggest weakness is hiding in plain sight, their employees. Whether it be an employee falling victim to a social engineering trick or conspiring to steal your data themselves, you need to be aware of who has access to your data and take precautions to mitigate risk at every level. You’d be surprised how often employees will give away usernames and passwords over the phone or in an email because they’ve gotten a message from someone claiming to be “technical support.”
Limiting risk begins with education. Employees who are routinely tested and trained when it comes to spotting internal and external threats stand a better chance of mitigating risk and keeping your organization safe from criminals. BAI provides social engineering evaluations and security awareness training that tests and trains employees to assess both common and complex scenarios.
The best weapon against data breaches has always been a well-trained team who can identify risks before unleashing them or opening the door to your proverbial safe. Download our social engineering brochure and information about our security awareness training platform to learn more about how you can teach your employees to spot risk in its many forms.