In a recent breach notification to New Hampshire’s Attorney General, TD Bank’s Head of U.S. Privacy & Social Media Compliance writes, in part: We recently learned that one of our employees obtained and inappropriately used confidential customer information and provided it to an unauthorized party not associated with TD Bank. The personal information they obtained may have included name, address, and account number of the primary account holders and potentially their secondary signers and/or beneficiaries. This is an isolated incident that is being addressed through an internal investigation by our corporate security team and we have contacted local law enforcement. “Isolated incident?” Only if “isolated” means “yet another instance.” DataBreaches.net would point out that TD Bank has reported DOZENS of this type of incident to state attorneys general over the past few years. See past coverage on DataBreaches.net (start here and here, and then search the site for other references to TD Bank data breaches). Should TD Bank be permitted to claim that each incident is an “isolated incident?” Should they be permitted to tell that to consumers when they have a history of having these breaches? And why haven’t federal regulators done anything to secure an agreement with TD Bank to improve its security to address whatever failures they have experienced that have permitted so many insider breaches? If the CFPB won’t do something, surely the FTC can, right?
On March 1, I blogged about numerous insider breaches TD Bank has reported in the past few years. I updated that report on March 9 with even more breaches that I uncovered via public records that were subsequently made available. Today, I received a response to a public records request to the North Carolina Attorney General’s Office. In response to my request for all breach reports submitted by TD Bank between January 1, 2011 and March 8, 2014, they sent me 10 responsive documents. Of those, a number dealt with insider breaches, some of which had not previously been included in my reporting. Some had been mentioned previously, but the North Carolina reports give us the number of customers affected: In March 2011, TD Bank reported an insider breach discovered in January 2011 that affected 591 customers. The breach was described as “employee defalcation” (misappropriation of funds) and the employee’s job was terminated. In its letter to customers, the bank noted that the employee may have provided customers’ names, addresses, Social Security numbers, dates of birth, and deposit account numbers to unauthorized party or parties not associated with TD Bank. In August 2011, TD Bank reported an insider breach discovered in June 2011 that affected 1,861 customers. This may be the same incident I previously noted without the number affected and where federal prosecutors charged an ID theft ring including a TD Bank employee. In December 2011, TD Bank reported an insider breach discovered in November 2011 that affected 2,339 customers. In that case, the employee was not only terminated but law enforcement was contacted. In August 2012, TD Bank reported an insider breach discovered in April 2012 that affected 1,158 customers. This might be the same incident I previously noted as reported to NYS on July 27, 2012 as affecting 1,144 customers, but it’s not clear from the stock description whether it is or not. On February 21, 2014, TD Bank reported an insider breach discovered on January 7, 2014 that affected 357 customers. It is possible that this is the same incident reported to New Hampshire in February, but it is not totally clear as the notification letter to customers in New Hampshire specified that the inappropriate access occurred between September and December 2013, whereas the letter to North Carolina customers merely used their stock language without any date range mentioned. While it may seem unhelpful to go back to 2011 incidents in my chronology, I think it’s important to do so as it shows that there is a long and repeated history and TD Bank should have been taking more effective steps to stem the insider hemorrhages long before now. Will they do so as a result of any investigation by OCC? I have no idea, but I think it’s worth noting when entities have repeated patterns of breaches. I am still awaiting a response to a FOI request to NYS for 2013 data and will update this post if I uncover additional information.
Update 1: March 9, 2014: Added some other incidents that were reported to NYS in 2012 and early 2013. These additions are underlined for your convenience. In the process of reviewing other materials, I have also identified two other banks that have recurring reports of insider wrongdoing. Eventually, I will write up my findings on those banks, too. We were only two months into 2014 when TD Bank filed its fourth breach report of the year with the New Hampshire Attorney General’s Office. And as I had done with Experian’s breaches, which had also flown under the media’s radar, I noticed a pattern and started looking into TD Bank’s breaches more. TD Bank’s recent report of February 18th involved an insider breach, and the description is basically identical to breach reports they filed on January 16 and January 24: We recently learned that one of our employees may have improperly obtained customer information and provided it to an unauthorized party not associated with TD Bank. The personal information they may have obtained may have included name, address, Social Security number and account number. The incidents reported on January 16 and January 24 involved employees who obtained and passed along customer data between July and November 2013. The incident reported on February 18 involved an employee who obtained and passed along customer data between September and December 2013. The January 24th and February 18th reports to New Hampshire residents were also reported to Vermont customers. And the wording of all of these reports was also identical to a report filed with New Hampshire dated December 16, 2013. In every report, TD Bank indicated that the incident was being handled internally by its corporate security team. Customers were given the option of transferring their accounts to a new account number and were offered two years of free credit monitoring. DataBreaches.net contacted TD Bank to verify that these were separate breaches and to ask some questions about them. The bank did not respond to specific questions and sent only this general statement: At TD Bank, protecting our customers’ financial assets and confidential information is important to us and something we take very seriously. These were isolated incidents and the employees are no longer with the bank. We notified impacted customers and worked with those who may have had their personal information compromised. They have not yet responded to a follow-up inquiry that again requested more details, including what TD Bank was doing to prevent future breaches of this kind. Despite what TD Bank might wish us all to believe, these most certainly were not “isolated incidents.” As some digging on my part quickly revealed, TD Bank seems to have a long history of insider breaches. The following is a partial chronology of insider breaches TD Bank has had. The chronology does not include external breaches like hacks or other types of breaches such as lost backup tapes, mailing errors, skimmers, and printing errors, although those types of breaches have occurred, too: On June 24, 2011, TD Bank notified the Maryland Attorney General’s Office that an employee in a Pennsylvania branch improperly obtained and may have passed along 304 Maryland residents’ information to an unauthorized third party. The information included name, address, social security number, date of birth, deposit account number and driver’s license number. In August 2011, federal prosecutors charged members of an ID theft ring that included corrupt insiders at TD Bank in South Jersey. On January 26, 2012, a TD Bank employee from Elizabeth, N.J., was arrested on charges he conspired to commit bank robbery. See this U.S.A.O. press release. He was sentenced in February 2013. On January 31, 2012, TD Bank notified the Maryland Attorney General’s Office that a vendor’s employee had obtained and passed along customer data to someone not associated with TD Bank. Fifty-three customers in Maryland were notified of the breach; the total number was not disclosed. Customers in Vermont were also notified. On February 16, 2012, TD Bank notified NYS that an employee had engaged in wrongdoing affecting 209 customers. Information involved their Social Security numbers and driver’s license numbers or non-license identification numbers. The wrongdoing occurred in December 2011, and was discovered in January 2012. On February 17, 2012, TD Bank notified NYS of another insider breach affecting 321 customers. That breach also occurred in December 2011, involved the same kind of customer information, and was also discovered in January 2012. On April 2, 2012, TD Bank notified the Maryland Attorney General’s Office that “We recently learned that one of our employees may have improperly obtained customer information and provided it to an unauthorized party not associated with TD Bank. The personal information they may have obtained may have included name, address, Social Security number, account number and debit card number.” In April 2012, TD Bank also notified NYS of an insider breach in February 2012 that affected 116 customers, 35 of whom are NYS residents. Due to the lack of detail in the Maryland report of April 2, it is not clear whether this is the same incident or a different one. On May 15, 2012, TD Bank notified NYS of another insider wrongdoing breach that occurred in March 2012 and was discovered in May. That incident affected one person who experienced fraudulent activity on their account. On June 5, 2012, TD Bank notified the Maryland Attorney General’s Office that “an employee may have provided a third party with customer data. The personal information which may have been obtained included name, address, Social Security number and date of birth.” On the same date, they also notified NYS of what is likely the same incident, reporting that it occurred in April and was discovered in April. The 460 customers affected were notified in June. On June 25, 2012, TD Bank notified the Maryland Attorney General’s Office that “We recently learned that an employee may have improperly obtained customer information and provided it to an unauthorized party not associated with TD Bank. The personal information they may have […]
TD Bank has notified the New Hampshire Attorney General’s Office of an insider breach that does not appear to be the insider breach that made the media last month. According to the bank’s January 24 notification, between July and November of 2013, an employee may have passed along some customers’ names, addresses, Social Security numbers, and deposit account numbers to an unauthorized party outside of TD Bank. The matter has been referred to law enforcement, and customers were offered two years of free credit-monitoring services. In the case reported in the media on December 6, a TD Bank teller in New York allegedly stole the identities of bank customers from January 2012 to May 2013. It is not clear to me whether that report is related to another notification TD Bank sent to New Hampshire on December 16, as that notification did not indicate the dates during which the data theft occurred.
The Office of the United States Attorney for the District of Vermont stated that Derrell Lee, 25, of Atlanta, Georgia, was sentenced today for his role in a scheme to defraud TD Bank through the cashing or attempted cashing of fraudulent checks in Vermont using the stolen personal information and bank account information of other TD Bank customers. Sitting in Brattleboro, Senior U.S. District Judge J. Garvan Murtha sentenced Lee to 32 months in prison followed by two years of supervised release. According to court records, in August 2015, law enforcement determined that Kirsta Dixon, a teller at an Atlantic City, New Jersey TD Bank branch, had provided account information for approximately 34 customers to Laurel Wells in exchange for compensation. Subsequent to the misappropriation of the customer account information, Derrell Lee cashed or attempted to cash approximately $33,000 in fraudulent checks in New York State and Vermont. On each occasion, Lee used the names and account information associated with the compromised information from Dixon. Between August 8 and August 13, 2015, Lee entered eight different TD Bank branches, wearing a distinctive purple suit and passing himself off as someone else in an attempt to cash checks for thousands of dollars. On August 8, 2015, Lee successfully cashed a $4700 check in Fishkill, New York; on the same date he tried unsuccessfully to cash a $4500 check in South Hills, New York. On August 12, 2015, Lee cashed a $4700 check in Montpelier, Vermont; he cashed a $4800 check in Woodstock, Vermont; attempted to cash a $4800 check in Waterbury, Vermont; and attempted to cash another $4700 check in Barre, Vermont. On August 13, 2015, Lee cashed a check under another name in Richmond, Vermont for $4800. Law enforcement arrested Lee later that day after he attempted to cash a $4800 check at the TD Bank in Williston, Vermont. At the time of his arrest, Lee had a check made out to one of the compromised accountholders in New Jersey, a withdrawal slip, a New Jersey driver’s license containing Lee’s photo and the accountholder’s identifying information, and a Capital One credit card in the accountholder’s name. The license and credit card were both determined to be fraudulent. Fingerprint analysis determined that both Lee and Wells had contact with the withdrawal slip. Several Vermont State’s Attorney’s Offices initially charged Lee for his offenses at each of the banks. Lee posted bond in his state cases in August 2015, but was arrested in January 2016 on a warrant for failure to appear for court proceedings. On January 29, 2016, Lee was charged federally with bank fraud and aggravated identity theft. On June 22, 2016, he pled guilty to both crimes, the latter requiring a mandatory two-year prison term consecutive to his sentence on the bank fraud charge. Criminal cases are pending against Kirsta Dixon and Laurel Wells in the Superior Court of New Jersey. This matter was investigated by the U.S. Secret Service, with the assistance of the Williston, Richmond, Waterbury, Montpelier, Barre, Woodstock, and Atlantic City, New Jersey Police Departments. The prosecution was handled by Assistant U.S. Attorney Kevin J. Doyle. Mr. Lee was represented by David L. McColgin of the Federal Defender’s Office in Burlington, Vermont. Source: U.S. Attorneys Office, District of Vermont Note: DataBreaches.net has reported on numerous other insider breaches at TD Bank.
Jeff Blumenthal reports: A former TD Bank employee was indicted Monday for allegedly stealing customer information and selling it to co-conspirators, who in turn used the data to run an identity theft scheme. Michael Tuffour<, 27, of Philadelphia was charged with one count of bank fraud and three counts of aggravated identity theft. Read more on Philadelphia Business Journal. In the past, DataBreaches.net has reported on numerous insider breaches of this type at TD Bank branches.
Now what was I saying about TD Bank having a lot of insider breaches? Tenisha Nkesha Francis, 32, of Lake Worth, and Ryan Michael Francis, 27, of Riviera Beach, pled guilty in federal court in Florida today for their participation in a stolen identity tax refund scheme. Sentencing is scheduled for September 11, 2014 at 1:30 p.m. before Senior U.S. District Judge Kenneth L. Ryskamp. Specifically, the defendants each pled guilty to one count of aggravated identity theft, in violation of Title 18, United States Code, Sections 1028A(a)(1) and 2, and one count of theft of government funds, in violation of Title 18, United States Code, Sections 641 and 2. At sentencing, the defendants each face a mandatory term of two years in prison for the aggravated identity theft charge, to run consecutively to any other sentence, and a maximum term of ten years in prison for the theft of government funds charge. According to court documents, Tenisha Francis worked as a Financial Services Representative at TD Bank. Tenisha Francis opened seven fraudulent accounts at the bank with stolen identification information obtained from co-defendant Ryan Francis. She was paid between $200 and $500 to open each fraudulent account. After opening the accounts, Tenisha Francis performed maintenance on these accounts and changed certain identifiers associated with the accounts, such as customers’ dates of birth, addresses and telephone numbers. Stolen U.S. Treasury checks were deposited into the accounts, and funds were withdrawn via check card purchases, ATM withdrawals and checks payable to third parties including Ryan Francis and his wife, Vanessa Brown, and Ryan Francis’ company, J.A. Kingz Automotive, LLC. The amount of loss attributable to Tenisha Francis’ relevant conduct is between $120,000 and $200,000. The amount of loss attributable to Ryan Francis’ relevant conduct will be determined at his sentencing hearing. SOURCE: U.S. Attorney’s Office, Southern District of Florida
Jim Walsh reports: For more than two years, Kashon Adade sent many customers to TD Bank offices in South Jersey, authorities say. But all that business wasn’t welcome. Investigators claim Adade ran a bank-fraud ring that relied on insider help and identity theft to drain about $200,000 from the accounts of unsuspecting TD Bank customers. And that’s not all. Federal prosecutors assert another group counted on corrupt employees to target patrons at TD Bank, Citizens Bank and the former Wachovia Bank. A federal trial is to begin in October for alleged members of that group, who are accused of stealing more than $400,000 from November 2005 to May 2010. And on Thursday, New York City officials announced a 148-count indictment of six members of a ring that allegedly targeted scores of customers at one of the nation’s biggest banks. Read more on Courier Post.
Mark Hosenball reports: Leading Democrats in both houses of Congress sent letters on Tuesday to 16 major banks and other financial firms requesting detailed information about recent data breaches and briefings from corporate data security officials. Among the companies targeted in letters sent by Senator Elizabeth Warren, a member of the Senate Banking Committee, and Representative Elijah Cummings, the top Democrat on the House Oversight and Government Reform Committee, were banks, investment firms and other financial service providers. Read more on Reuters, where you can find a list of the 16 banks. Significantly (from my perspective, anyway), the letter only asks about the last year and fails to include two major banks that have had repeated insider breaches. One of those banks – TD Bank – was the target of a complaint this blogger/advocate filed with the CFPB earlier this year.