Countrywide Insider Stealing Two Million Personal Records is a Drop in the Data Compromise Bucket

On Friday, the FBI arrested a former Countrywide employee and his accomplice for stealing and selling personal information (including social security numbers) obtained from people applying for mortgages. According to news sources, the number of people compromised was about two million.

The Countrywide inside man was identified as Rene L. Rebollo, Jr., who worked at Countrywide's sub prime lending division, Full Spectrum Lending. Also arrested was Wahid Siddiqi, who was the alleged information reseller in the caper. Both arrests took place in Southern California.

The criminal complaint alleges that Rebollo downloaded 20,000 names a week for about two years. The batches of 20,000 were sold for about $500 to Siddiqi. This amounts to about 25 cents per person compromised.

According to a spokeswoman at Countrywide, the investigation shows that 19,000 people's information has been actually used.

Beth Givens, of the Privacy Rights Clearing House, was quoted in a story about this in the LA Times and aptly pointed out Rebollo sold the information at well below known black market prices. Although the prices for stolen information — which is sometimes sold in underground Internet forums — has dropped in recent years, a name that has a matching social security number is worth well more than 25 cents a pop.

The official spin is that this information was used for leads to sell real estate, but my speculation is that we'll never know for sure. According to the news reports, the information was being sold to companies. The FBI, posing as a company, was able to buy records from Siddiqi.

If it was sold to companies, who knows who they might have sold it to, or if they have any dishonest employees selling it on the black market?

This made me wonder if any of the companies buying the information will be publicly disclosed. In a similar case at Certegy — where another dishonest employee was caught and convicted for selling stolen information to "companies" — the companies involved were never made public or charged with any crime (to my knowledge). Court records indicated a co-conspirator in this case, but again (to my knowledge) no one has ever revealed exactly who this mysterious co-conspirator was.

 

Givens also pointed out that names, which include a social security number and perhaps financial data, can be used to commit what is known as new account fraud. New account fraud is where an identity thief poses as their victim and opens new lines of credit. Once this is done the first time, the thief (sometimes thieves) continue to open lines of credit until the victim's credit report makes them look like a deadbeat.

Article Author: Ed Dickson

Having worked around financial crimes for a number of years, I noticed they seemed to be on the rise. One reason for this is technology, which grows more rapidly than laws designed to protect us from it. …

Visit Ed Dickson's author page — Ed Dickson's Blog