There is something really sad and ironic about the title “Countrywide Breach”. But the facts are the facts. There has been a Countrywide Breach in America. Two men are accused of conspicuously downloading all the CountryWide customer records over two years and selling them for relatively little ($70K).
The former employee, Rene L. Rebollo Jr., 36, of Pasadena, was charged with exceeding authorized access to the computer of a financial institution, the FBI said in a statement.
[…]
Rebollo would go into work on Sunday afternoons, log onto his company’s network and download the data onto flash drives, the complaint said.
Investigators believe he was selling the information to Siddiqi, who allegedly acted as a middle man for the companies that bought it, the complaint said.
The FBI says this was unauthorized and therefore a criminal act. That makes me wonder. I get notices about privacy practices all the time from CountryWide, (unfortunately) being a (vulnerable) customer of theirs, where they repeatedly warn me that if I do not actively tell them to protect my records they may be sold to other firms. I mean I am tempted to ask whether Rebollo is considered unauthorized only because he did not bother to pay Countrywide a portion of his revenue?
Are you surprised that the accused worked with the subprime mortgages:
Rebollo had access to Countrywide client information when he worked as a senior financial analyst for the subprime mortgage division, known as Full Spectrum Lending, according to the criminal complaint.
The bottom line here is that approximately 2 million records were sold (for $0.025/each, $500 for 20,000) over a 2 year period. The fact that this was done all via a flash drive on Sunday afternoons suggests it could have been detected easily and early. Was it an insider? A contractor? An outsider with inside connections? Who really cares about the perimeter anymore? The data flowed and the access was higher than roles apparently should have allowed over a long period of time.
Also interesting to note that Countrywide claims only 19,000 identities have really been compromised so far…but given 2 million records leaking over 2 years who would trust their own detection and accounting numbers?
Perhaps that’s too much sarcasm for this morning. Need coffee…