The challenges of storing and transmitting personal data are reflected in the recently highlighted spate of data thefts and penetration of computer systems. Data is also being pilfered by bank employees and then, as in this case, being sold to individuals who, in my mind, have a legitimate business need for this information, which is illegal to obtain by pretext.
This fellow, Lembo, posed as a collection agency and got high level bank employees to sell him bank account information at $10 per name.
“Based on forensic examination of Lembo’s computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks,” the police statement said. “That information was then sold to his clients, which included more than 40 law firms and collection agencies.”
Debt collection agencies and, attorneys executing judgments and litigating cases in which a parties’ finances are relevant, should be able to independently verify an account holder’s assets. But right now that is illegal. The court may award your client a Judgment but the federal government has taken away some of your authority to collect on the debt.
And attorneys can’t insulate themselves from prosecution by hiring someone else to secure financial information by pretext. So, don’t even ask! It is yet to be seen if New Jersey follows through on this threat but Hackensack PD Captain Lomia is floating it in the press.
Lomia said the law firms that allegedly sought Lembo’s services are part of “phase two” of the investigation.
There are a few well informed posts on this topic at Schneier on Security.