Wells Fargo: A Breach of Trust – How to avoid this happening inside your organization…

Yahoo! Data Breach Didn’t Need to Happen…Here’s Why…
January 23, 2017
Breach Prevention Futures: Can We Stop DDos Attacks? Yes, here’s how…
January 30, 2017

Sometimes technology alone is not the answer. Imagine your upper management starts demanding unreasonable #’s from the sales team and threatens to fire them if they can’t reach these unrealistic goals each month? For a car dealer, it’s obvious that a consumer has to show up, sign up for a loan or bring a bank check for the full amount and buy the car of their choice. You just simply can’t fake it. In this case, something went viral – it was the ability to fraud consumers inside a bank of all places – where trust is sacrosanct. Sales teams found a loophole “I’ll just create another account for Jane Doe, she won’t notice and I’ll hit my unrealistic numbers if I do this for all new accounts I open. In fact, why don’t I go through all the accounts I’ve ever opened and do the same – I have the PII (Personally Identifiable Information) and I have all the necessary permissions and access to ‘fake it till I make it.’

This is what went down at Wells Fargo and it went internally “viral” – everyone was doing it and no one seemed to care. The results – the sales were up, new accounts were opened and employees were keeping their jobs, getting their bonuses and no one at the “C” level was aware of the problem.

While I could go on all day about ETHICS 101, it seems the ‘crowd’ hysteria mentality and excuse is what took place at Wells Fargo. Only until many consumers suffered – some even losing their houses and having destroyed credit scores, did this issue become one of notice – to law firms, criminal investigators, government agencies and finally, the Wells Fargo “C” level executives.

What’s sad is that the US Government, since the introduction of the Patriot Act, began spying on all of us, looking for needles in haystacks. Want to move $5k, this triggers a Patriot Act alarm at Wells Fargo (or any bank) for a ‘fraud review’ – are you money laundering for a terrorist organization or are you just trying to pay your bills? Either way, we the people are scrutinized at every turn.

Walk through New York city and you’ll see more than $2B invested in camera’s on every street corner, tied into state agency and US DHS fusion centers doing facial recognition on you – just to make sure you’re not a terrorist – your privacy is over. Yet Wells Fargo employees who chose to take a path of criminal behavior were not scrutinized in any way that would trigger an alarm for executives at the “C” level to wake up and realize something just wasn’t right with the number of new accounts being opened, the accrued penalties for low balances, the negative balances, the triggers to destroy people’s lives both in loss of home and credit score. I would say this astounds me but nothing, when it comes to malicious insiders astounds me anymore.


On this scale? A first: “Viral” Crowd Mentality of Criminal Behavior

If your company had this viral ‘crowd’ mentality criminal behavior happen to you, how would you know? What would you do? We can learn a lot from the Wells Fargo case. First, setting unrealistic sales expectations triggered bad behavior. Second, something was wrong with middle management in the way they motivated front line sales staff. Third, unlike all the safeguards in wire transfer, Patriot act triggers and other fraud protections put in place, never once turned inward on their own internal activities. Employees became malicious, criminal insiders. 

No one at the executive level noticed and the crime continued until the victim snowball effect turned into an avalanche. 


What Can We Learn and How Can We Avoid This Problem?

What we can learn to avoid this problem is quit simple. Internal controls for fraud should not just be pointing outward towards the consumers – tripwires should be in place to trigger alarms for fraudulent behavior from the inside-out. It’s that simple. More frequent audits including looking for malicious insider behavior would have tipped upper management off, maybe in time to stave off the bad behavior from becoming viral.

“What this also says about human nature is that when good people are put in a corner – feeling like they will be fired if they don’t meet unrealistic expectations, in such a tough economic time, instead of the best coming out, it seems we see the worst coming out.”

Once again, the lesson is learned – don’t be too greedy, don’t’ be too focused on honest customer fraud risk, take a look from the inside-out more frequently and you might be able to catch malicious insider behavior that should never happen in the first place.

“It’s very difficult to gain a customer for life, it’s incredibly easy to lose one.” – Gary M.


About The Author

Gary Miliefsky, fmDHS, CISSP®, CEO, SnoopWall, Inc.

Gary is the CEO of SnoopWall, Inc. and a co-inventor of the company’s innovative breach prevention technologies. He is a cyber-security expert and a frequent invited guest on national and international media commenting on mobile privacy, cyber security, cyber-crime and cyber terrorism, also covered in both Forbes and Fortune Magazines. He has been extremely active in the INFOSEC arena, most recently as the Editor of Cyber Defense Magazine. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. Previously, Gary has been founder and/or inventor for technologies and corporations sold and licensed to Hexis Cyber, Intel/McAfee, IBM, Computer Associates and BlackBox Corporation. Gary is a member of ISC2.org and is a CISSP®. Email him at ceo@snoopwall.com.

Learn more about SnoopWall’s cybersecurity expert CEO at: http://www.snoopwall.com/media/

For CEO interviews and Press Inquiries Contact:

Brittany Thomas, News & Experts, Tel: 727-443-7115 Ext: 221

Email: brittany@newsandexperts.com