Thayer Evans has a report on fraud reports out of Texas that reminds us that sometimes fraud may not occur until years after a compromise or breach:
League City police have received 15 to 20 reports of identity theft in the last two to three weeks, League City Police Lt. Bruce Whitten said.
[…]
The thieves used the victims’ personal information obtained through a subsidiary of a local bank and obtained the credit or debit cards in their names without their knowledge, Whitten said.
[…]
Whitten declined to provide the name of the area bank, citing an ongoing investigation, but said the personal information was compromised by the subsidiary years ago. The bank is aware of the breach and is working to address it, he said.
Several months ago, the bank had a rash of League City victims in the same type of identity theft, but the unauthorized charges were then made in Illinois, Whitten said.
Read more on Ultimate Clear Lake.
So…. if the breach occurred years ago, was the subsidiary aware of it at that time? If so, what did they do? And if they first became aware of it several months ago after the fraud reports from Illinois, what did they do then? Was the compromise a matter of insider theft of personal info that is first being used now, or was the compromise a key logger that has sat on their system undetected for years, or….? We need more information on this one.
Great thanks to Tom Considine, host of “WhoComplys,” for sending in this link.