07 Aug 2008, Victoria Pennington, Operational Risk & Regulation
CALABASAS, CA – The man accused of stealing customer data from home mortgage lender Countrywide was probably able to download and save the data to an external drive, due to an oversight by the company's IT department.
On August 1, Rene Rebollo, a former senior financial analyst at Countrywide, was arrested for his alleged role in stealing customer data and selling it.
Rebollo told US Federal Bureau of Investigation agents that he had known that the computers in the Countrywide office had security features that restricted downloads of data to an external source, but that he had found one that didn’t. FBI affidavits show Rebollo admits collecting names on request by his buyers and downloading them onto his personal thumb drive using that one computer in the office. Rebollo might have specifically collected names of people who recently declined an offer of a loan by Countrywide, for example.
The accused estimates that, over a two-year period, he downloaded approximately 20,000 customer profiles each week and sold files with that many names for US$500, according to the affidavit. The profiles included Social Security numbers and other personal details.
Countrywide's owner, Bank of America, has not responded to a request for information about the type of security it employs to prevent this type of theft. According to a statement from the FBI last week, Countrywide says it is analysing the stolen data to determine whether any customer identities have been compromised. If they have, the company says it will notify the customers affected.