Winnipeg Free Press

Winnipeg Free Press (Newspaper) - January 6, 2025, Winnipeg, Manitoba B4 MONDAY JANUARY 6, 2025 ● BUSINESS@FREEPRESS.MB.CA ● WINNIPEGFREEPRESS.COM BUSINESS ‘The more employees there are inside a company with access to sensitive customer information, the higher the risk that access is going to be abused’ Bank insiders are leaking data on client accounts as scams surge T HE new staffer was supposed to help Toronto-Dominion Bank spot money laundering from an outpost in New York. She instead used her access to bank data to distribute customer details to a criminal network on Telegram, according to prosecutors in Manhat- tan. Local detectives who searched her phone allegedly found images of 255 cheques belonging to customers, along with other personal informa- tion on almost 70 others. It’s part of a little-noticed pattern popping up across U.S. banking — from towers in Manhattan, to hubs in Florida and even suburban Louisiana. As sophisticated scams targeting the life savings of Americans create head- lines across the U.S., the industry’s low- est-paid employees keep getting caught selling sensitive customer information out the back door — emerging as a critical area of weakness in banks’ risk controls. That’s an inconvenient trend as firms steadfastly argue to policymakers and the public that customers bear primary responsibility for ensuring they don’t get conned out of their savings. While many scams seemingly target people at random, some victims have said con artists who tricked them knew a lot about their finances at the outset. “The more employees there are in- side a company with access to sensitive customer information, the higher the risk that access is going to be abused,” said R.J. Cross, a privacy advocate at U.S. Public Interest Research Group. “Companies need to have technical measures in place to ensure employ- ees and contractors can’t run off with people’s information or access data that isn’t necessary for their job duties.” There have been warnings for years. Almost a decade ago, New York’s then-attorney general, Eric Schneider- man, publicly urged major lenders in- cluding JPMorgan Chase & Co., Bank of America Corp. and Citigroup Inc. to strengthen internal defences after an investigation found an identity-theft ring had enlisted tellers from the indus- try. That built on a broader study by his office showing leaks by corporate insid- ers were already on the rise, with data “often obtained exclusively for fraudu- lent purposes.” Such concerns now carry new ur- gency. U.S. retirees sitting atop a re- cord stockpile of wealth are facing an onslaught of elder fraud, with estimated annual losses soaring past US$28 bil- lion. For con artists, tips on who has a lot of money can be invaluable. Meanwhile, bank lobbyists are fend- ing off legislative attempts to force firms to do more to protect customers or share their losses. Data flowing wrong way The recent spate of busts shows banks haven’t yet figured out how to stop employees from trying to monet- ize their access to highly valuable and sensitive customer information. Some connect with local conspirators on so- cial media for schemes as mundane as faking cheques. Banks typically make those victims whole. But more sophis- ticated cons have proliferated in recent years, often leaving customers on the hook for their losses. A few prosecutions, like the one against Wade Helms of Navy Federal Credit Union, illustrate how far data can flow. Authorities in Escambia County, Fla., accused Helms of jotting personal in- formation about customers in a note- book, creating a handle for himself on the dark web, and making it known he was seeking a buyer for information on clients at Navy Federal, the largest U.S. credit union. In one chatroom, Helms found someone who claimed to be a broker for stolen data. The two alleged- ly spoke by phone, then continued the conversation on a personal computer Helms kept next to his office desk. The broker “wanted high-dollar ac- count information because that would sell easier on the dark web,” accord- ing an affidavit for an arrest warrant for Helms. The broker created Tele- gram pages called “Navy Wave,” where screenshots of customer accounts were posted. Some were provided by Helms, who had taken screenshots of custom- er banking statements and pictures of their identification, according to the warrant. “Navy Wave” had multiple handles that began with ScammingServices with more than 2,700 subscribers. By the time the credit union’s internal security discovered the breach, Helms allegedly had exposed as many as 50 accounts. At least five postings on the “Navy Wave” pages included Navy Fed- eral accounts Helms provided. In a deal with prosecutors this year, Helms pleaded no contest to 11 charges, including illegal use of personal identi- fication, and was sentenced to 10 years’ probation. He was also ordered to pay about US$9,100 in restitution to Navy Federal. A lawyer for Helms didn’t reply to messages seeking comment. “Navy Federal takes all necessary precautions to protect our members’ personal and financial information,” a spokesperson for the credit union said in a statement. “We strengthen our processes on a constant basis to ensure member information is kept confiden- tial and continuously monitor member accounts for unusual activity.” The lender said it worked with law en- forcement to help secure a conviction. Incentivizing firms It’s challenging for companies to ad- just to trends in crime, especially as firms are scaling up workforces with thousands of staff, including high-turn- over jobs, said Jonathan Lopez, a for- mer U.S. federal prosecutor who spe- cializes in bank crime cases. “The issue may not be one of a faulty program in many instances, but the sheer numbers of people involved,” said Lopez, a partner at Jacobson Lopez in Washington. “While zero fraud rates may be impossible, institutions should be incentivized to continue to strive to get their fraud rates and insider fraud rates as close to zero as possible.” Toronto-based TD Bank’s recent US$3.1 billion settlement with U.S. au- thorities for failing to prevent money laundering revealed executives’ focus on costs had contributed to weak in- ternal systems. A result was a rash of crime that mostly went undetected until U.S. federal investigators tracking fentanyl sales on the East Coast took a close look at the bank. The probe found several branch-level employees accepted bribes of cash and gift cards to open accounts and issue debit cards that were then used to move money to Colombia through ATMs. The increased scrutiny also revealed a New York-based branch manager stole more than US$200,000 from an elderly client, using account informa- tion and a fraudulent email address to siphon funds even after the retiree died. The banker, later fired by TD, ad- mitted to the crime and was sentenced to more than a year in prison. His law- yer said he stole the money to pay for his son’s college tuition. In September, authorities in New York swooped in on Daria Sewell, a new employee in TD’s anti-money laundering operations, accusing her of storing images of customers’ cheques on her cellphone. The breach exposed accounts to a network of New York-ar- ea fraudsters who were charged in a US$500,000 cheque-fraud scheme, ac- cording to the Manhattan district attor- ney’s office. Investigators said Sewell distributed information on Telegram with instruc- tions on how to open bank accounts and move money from the TD accounts into them. Recipients allegedly then split profits with her. Sewell has pleaded not guilty to un- lawfully possessing personal informa- tion. A lawyer representing her didn’t reply to messages seeking comment. “In both instances the employees were terminated and we co-operated fully with authorities in their investi- gations,” a TD spokesperson said in an email. “As we have consistently said, these individuals aren’t representative of our 30,000 colleagues in the U.S. who serve our customers with integrity.” Fraud ring Outsourcing can create more cracks in banks’ defences. In Louisiana, federal prosecutors traced a cheque-fraud ring to employ- ees of international call centre Teleper- formance, where three employees in Shreveport were accused of selling the account information of elderly USAA customers. The scheme went on for almost two years with the three — Arazhia Gully, Maya Green and Zarrajah Watkins — joining and offering information on customers with high account balan- ces to a network of more than a dozen others, according to federal prosecu- tors. Some recipients used counterfeit cheques to make withdrawals. A por- tion of the proceeds was later deposited into the personal account of a Teleper- formance employee and withdrawn at a nearby casino. The trading of that data was similar to ordering from a menu at a restau- rant, with outsiders choosing which ac- counts to exploit. In an example provided by prosecu- tors, Gully sent a conspirator a text message containing the ages and ac- count balances of eight USAA custom- ers. The person responded with their pick: a 79-year-old with US$442,000. Gully then sent a picture of a computer screen showing detailed account infor- mation. Another victim was a 95-year- old with US$174,000. “We fully co-operated with author- ities to aid in the investigation and terminated the employees as soon as we were made aware of the incidents,” Teleperformance said in an emailed statement. “We work closely with our clients to ensure we minimize our employees’ ac- cess to customer account information to include only the access needed to de- liver the services and minimize the risk of fraud to the lowest possible level.” A spokesperson for USAA declined to comment. The three Teleperformance employ- ees pleaded guilty to bank fraud con- spiracy and are awaiting sentencing. Lawyers for Gully and Watkins de- clined to comment. Green’s attorney, Joey Greenwald, said his client was low-level in the net- work and paid just a few hundred dol- lars for taking screenshots of accounts. Greenwald said he was surprised his client was able to see so much informa- tion, noting she had a Grade 10 educa- tion and was working from home. “They hooked her up with a comput- er and a phone and she had all this ac- cess to customer accounts.” Greenwald said he’s not aware Green received any training on how to handle the data. “To trust her with this kind of infor- mation was pretty appalling,” he said. — Bloomberg News TOM SCHOENBERG MARK SCHIEFELBEIN / THE ASSOCIATED PRESS FILES U.S. Attorney General Merrick Garland speaks in October to announce Toronto-based TD Bank will pay a US$3.1-billion settlement after authorities say the financial institution’s lax practices allowed for significant money laundering. ;