Bank of America data leak destroys trust
Andrew Goldstein has been a Bank of America customer for more than four decades. He’s grown up with the bank, trusted it, relied on it to be there for him through thick and thin.
So it was with more than a little shock that Goldstein, 60, learned the other day that a BofA employee apparently leaked confidential information about his and hundreds of other customers’ accounts to scammers, resulting in more than $10 million in losses.
In Goldstein’s case, the security breach resulted in his checking accounts being rapidly drained of more than $20,000.
“You can almost understand it if a hacker gets into your computer and steals your personal information,” the Santa Monica resident told me. “But for someone at a major institution that you’ve been with almost your whole life....”
His voice trailed off. For Goldstein, the wound is still raw.
According to the Secret Service, 95 suspects have been arrested so far in connection with the case, which is only now coming to light as BofA finally informs customers that their accounts were compromised.
The far-reaching fraud serves as a cautionary tale for all consumers who entrust virtually their entire financial lives to major companies. We want to believe those companies are worthy of the responsibility bestowed upon them.
All too often, though, the guardians of our personal info prove sloppy or negligent in keeping data secure. And in some cases, their own insiders have a hand in perpetrating fraud.
“Bank of America knows that the security and confidentiality of customers’ information is our responsibility,” said Colleen Haggerty, a bank spokeswoman. “We absolutely apologize for this incident.”
Goldstein’s trouble began last September. He’d just returned home from a trip and found a UPS sticker on his door informing him that his bank checks had arrived.
That was strange. Goldstein hadn’t ordered any new checks from BofA.
Everything that happened next happened quickly. Goldstein was able to piece it all together only after speaking with the various businesses involved.
A BofA employee with access to customers’ banking records had apparently leaked reams of data to a ring of scammers. Goldstein’s personal information was included in the security breach.
The purloined info included people’s names, addresses, Social Security numbers, phone numbers, bank account numbers, driver’s license numbers, birth dates, email addresses, mother’s maiden names, PINs and account balances.
The scammers ordered new checks for two of Goldstein’s three BofA checking accounts. They also arranged with UPS to be able to pick up the checks at a UPS outlet rather than have them delivered to Goldstein’s address.
Next, the perpetrators contacted Goldstein’s phone company, Verizon, and arranged for all calls to Goldstein’s home to be forwarded to the scammers’ cellphone. This was apparently intended to prevent BofA from contacting Goldstein once the fraudulent checks started being used.
The thieves then called BofA and asked that some of the money in Goldstein’s third checking account — the one they hadn’t yet accessed — be transferred to one of the accounts they had checks for.
No problem. “The bank did it right over the phone,” Goldstein said.
Now the scammers had about $23,000 at their fingertips, and they went on a spending spree. BofA told Goldstein that checks were cashed everywhere from Hollywood to Las Vegas within a matter of hours.
Goldstein realized something was screwy when he went online the next day and looked at his accounts. He immediately went to his local BofA branch and tried to straighten things out.
“While I was at the bank,” he told me, “the scammers called again and did another telephone transfer — while I was sitting there! We actually saw the amount in my account go down on the computer screen.”
Once it confirmed that Goldstein was a fraud victim, BofA reimbursed him for his losses and set up new checking accounts. But bank workers refused to go into detail with him about what had happened.
Goldstein realized that he was one of many victims only after he received a letter from BofA informing him that “an incident” had occurred “that resulted in the disclosure of customer information for the purpose of engaging in fraudulent activity.”
“The incident was the result of a now former employee who provided information to individuals for the purpose of conducting fraud on your Bank of America account,” it said.
Haggerty, the bank spokeswoman, declined to provide details of the case because the investigation is still open. She said only that “about 300” customer accounts were affected in California and other Western states.
Haggerty said BofA first learned about the security breach about a year ago and immediately notified law enforcement agencies. She declined to provide any information about the former bank worker, including where he or she was based and whether he or she had been arrested.
Jim Kollar, assistant special agent in charge of the Secret Service’s Los Angeles office, said Secret Service and FBI agents arrested 95 suspects in the case in February. He said it’s possible the suspects have gang ties.
“It was a ring of people, based in Southern California, with an inside person at the bank pushing out the information,” Kollar said. “They had a lot of people on the outside receiving that information.”
Along with reimbursing victims of the fraud, BofA is offering two free years of credit monitoring.
Goldstein said he’s going to accept the bank’s offer. And, for now at least, he has no plans to take his business elsewhere.
But the trust is gone.
“I go online and check my accounts two or three times a day,” Goldstein said. “It’s not like before.”
David Lazarus’ column runs Tuesdays and Wednesdays. He also can be seen daily on KTLA-TV Channel 5. Send your tips or feedback to firstname.lastname@example.org.
The view from Sacramento
Sign up for the California Politics newsletter to get exclusive analysis from our reporters.
You may occasionally receive promotional content from the Los Angeles Times.