Wells Fargo Bank NA is notifying some 7,000 people that their Social Security numbers and other personal information may have been accessed by thieves using the financial services firm's access codes.
The bank learned of the compromise on July 1 from MicroBilt Corp., a reseller of consumer data, according to a Wells Fargo spokeswoman. MicroBilt notified Wells Fargo of suspicious transactions made on its site using the bank's access codes, she said.
The codes are used by certain Wells Fargo employees to access MicroBilt's consumer credit data.
The spokeswoman noted that the accessed records belonged to "random individuals," only a small number of whom were Wells Fargo customers.
"There is a full investigation under way to find out who is behind this," the spokeswoman said. Investigators have not yet determined how the Wells Fargo access credentials were illegally obtained, she added.
The compromise was first reported by The Breach Blog, which posted a link to a July 31 letter in which Wells Fargo notified New Hampshire Attorney General Kelly Ayotte that nine state residents were affected by the breach.
New Hampshire law requires companies to notify the state of breaches that expose the personal information of residents.
In the letter, Peter McCorkell, Wells Fargo's senior corporate counsel, disclosed that "a significant number of unauthorized transactions had been made using Wells Fargo's codes." He said that Social Security numbers, birth dates, addresses, driver's license numbers and, in some cases, credit account information had been accessed.
The letter also said that the bank has contact information for only about 2,400 of the affected individuals.
In a letter sent to the victims whose addresses were available, Sherry Courtney, a Wells Fargo senior vice president, offered a year's subscription to credit-monitoring services.
Since 2004, Wells Fargo has suffered through a string of breaches, mostly involving lost or stolen computers, that led to the loss of personal data.
This story, "Wells Fargo Access Codes Compromise Personal Data" was originally published by Computerworld.