The Virginia-Pilot reported the following today:
A city employee had online access to nine municipal bank accounts holding hundreds of millions of dollars for years without anyone knowing, the city announced Friday. There’s no indication that money is missing, but nobody really knows yet, according to the city treasurer and an auditor who uncovered the problem.
“At this stage, we think nothing is missing, but I’m not going to jump out there and say that for sure,” Treasurer John Atkinson said. “I’d like to think we would have caught any money being taken, but we have to do a complete investigation to make sure.”
The problem began when Bank of America improperly gave the employee access to all nine accounts about five or six years ago, Beach Auditor Lyndon Remias said. The unidentified employee was setting up a modest human services account for petty cash and small expenses – it never held more than $5,000 – when the bank gave her an online access code that worked for all the accounts.
Remias said his office spotted the problem during an unrelated investigation and asked the employee what was going on. He said it appears the only thing the employee did wrong was not tell anyone about the mistake.
“She was very open with us and showed us how she scrolled down past all the big accounts to get to hers. She had access from her home, a regular online account,” Remias said. “On the day she showed us, the granddaddy of all, the operating account, had $50 million in it.”
Bank of America did not return phone calls late Friday seeking comment.
The city sent out a news release Friday announcing a “potential security breach,” but Remias and Atkinson called that conclusion premature. They are working with Bank of America to search through at least five years of transactions to make sure nothing is missing, a process that will take time.
“The simplest way to look at it was an error on the bank’s part,” Atkinson said. “I am going to investigate thoroughly, but right now, we don’t even know if there is a loss or if there is any crime. We don’t know anything.”
This is reminiscent of an event that took place at AT&T not too long ago.
AT&T fired an employee who improperly accessed about 1,600 customer accounts and could have viewed customers’ Social Security and driver’s license numbers.
The breach came to light after a form letter that AT&T sent to affected customers was submitted to Vermont’s attorney general’s office, which published it on its website.
Mark Siegel, executive director of media relations for AT&T Mobility, said in a statement that one of the company’s employees “did not follow our strict privacy rules and inappropriately obtained some customer information.”
“This individual no longer works at AT&T, and we are directly contacting the limited number of affected customers,” Siegel said.
How do you prevent such problems?
- The keyword is obviously prevention.
- Putting standards and controls in place to avoid such situations. How do you do this?
- Choose a security framework that allows you to start the IT security testing process right from the inception of the SDLC, even before the code is being written.
- Do your risk assessment. Do not reinvent the wheel.
- Use a framework like OWASP (used by major corporations) as guidance and direction.
- Modify it to your needs but respect its principals.
Money spent on the front end pales in comparison to the money spent cleaning up a mess.