Security Oversight May Have Enabled Countrywide Breach

The man accused of stealing customer data from home mortgage lender Countrywide probably was able to download and save the data to an external drive due to an oversight by the company's IT department.

On Friday, Rene Rebollo, a former senior financial analyst at Countrywide, was arrested for his alleged role in stealing customer data and selling it.

U.S. Federal Bureau of Investigation affidavits show that Rebollo told special agents that he knew most computers in the office had a security feature that disabled the use of a thumb drive. However, he discovered that one computer didn't have this feature.

On a weekly basis, often on Sundays, Rebollo would collect customer names per request by his buyers and download them onto his personal thumb drive using that one computer in the office, according to the documents. Rebollo might specifically collect names of people who recently declined an offer of a loan by Countrywide, for example.

Over a two-year period, Rebollo estimated he downloaded approximately 20,000 customer profiles each week and sold files with that many names for US$500, according to the affidavit. The profiles included Social Security numbers and other contact details about the people. He typically would e-mail the data in Excel spreadsheets to his buyers, often using computers at Kinko's copying and business center stores.

Countrywide's owner, Bank of America, has not responded to a request for information about the type of security it employs to prevent this type of theft. According to a statement from the FBI last week, Countrywide said it is analyzing the stolen data to determine whether any customer identities have been compromised. If they have, the company said it will notify the customers, according to the FBI statement.

While it's not clear what type of security Countrywide employs that disables the use of thumb drives, it may use software that includes an agent on all computers that IT administrators can set to control how each port on the computer can be used. Such products can allow administrators to set rules that allow certain employees to access certain ports, or set rules that define what types of files can be copied to certain ports, said Pat Clawson, chairman and CEO of Lumension Security, a company that sells such software. If this is the method Countrywide uses, its administrators may have accidentally failed to install the agent on the computer that Rebollo discovered.

But that type of vulnerability can be avoided, Clawson said. Companies should have policies that require any device that touches the network to be checked. "No matter if that device is a laptop or a handheld, it has to go through some sort of scanning process to find if they have all the requisite materials before you allow them to access the network. It's clear that didn't happen here," he said.

Many companies that handle sensitive data also have systems that enforce encryption rules and prevent most workers from copying sensitive data, Clawson noted.

Some organizations have resorted to far more "draconian" methods to try to prevent this type of theft, Clawson said. For a time, many U.S. government agencies filled USB ports with hot glue and drove plastic screws into microphones in an effort to prevent access to them, he said.

The FBI collected some of the customer data allegedly stolen by Rebollo by working with confidential witnesses who agreed to buy the data from one of Rebollo's customers, Wahid Siddiqi, who was also arrested last week. The witnesses then turned the data over to the FBI agents. Countrywide matched those numbers provided by the FBI with its own internal spreadsheets, confirming that the names were from its customers and were paired with accurate Social Security numbers.

In two years, Rebollo estimated he earned $50,000 to $70,000 on the activity. His Countrywide salary was $65,000 per year, according to the documents.

Rebollo initially cooperated with FBI agents, describing his actions to them and willingly giving them one of his home computers and a thumb drive, according to the affidavit. But he later seemed to have changed his mind. A few days after his meeting with the agents, Rebollo's lawyer told the FBI that he had decided to revoke his consent to search the drive and the computer.

Rebollo, who faces as much as five years in federal prison if convicted, was released on an $80,000 bond last week even though he doesn't appear ready to give up his activities, at least according to the affidavits. FBI agents said that six days after they spoke with Rebollo, when he described how he stole and sold the data, he called a witness offering to sell him more Countrywide customer names.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Shop Tech Products at Amazon