Atlanta-based SunTrust Bank is the 12th largest bank in the US. They have a major problem, and so do roughly a million and a half of its customers. According to CEO William Rogers, an unidentified employee of the firm printed a vast amount of private customer information, including their names, addresses, phone numbers and account balance information.
Rogers stressed that social security numbers, account numbers, driver's license numbers, user IDs, and passwords were not exposed. In a recent press release, he had the following to say:
"In conjunction with law enforcement, we discovered that a former employee while employed at SunTrust may have attempted to print information on approximately 1.5 million clients and share this information with a criminal third party.
We and third parties have done forensic analysis on these accounts and we have not identified significant fraudulent activity regarding the effect of the accounts."
Even so, this is a blow to the company's image, and the lost trust won't be easily regained. It also underscores how vulnerable companies are to internal threats.
In response to the attack, SunTrust is offering ongoing IDnotify identity protection (offered through Experian) to all its current and new clients at no cost.
The company's handling of the issue so far has been about as good as can be expected. The unfortunate reality is that there aren't many good ways of stopping a rogue employee from making off with sensitive customer data or proprietary company information. Better auditing protocols and controls can help, but only to a certain extent. While those kinds of policies make it easier to detect when an internal theft has occurred, they do nothing to actually prevent them.
This puts management in a tricky spot. Employees have to be trusted with sensitive data in order to do their work, which also increases risk. There aren't many good solutions here beyond better vetting of employees, but of course, that is by no means a magic bullet either.