Security oversight may have enabled Countrywide breach

The man accused of stealing customer data from home mortgage lender Countrywide probably was able to download and save the data to an external drive due to an oversight by the company's IT department.

On Friday, Rene Rebollo, a former senior financial analyst at Countrywide, was arrested for his alleged role in stealing customer data and selling it (Compare Data Leak Protection products).

U.S. Federal Bureau of Investigation affidavits show that Rebollo told special agents that he knew most computers in the office had a security feature that disabled the use of a thumb drive. However, he discovered that one computer didn't have this feature.

On a weekly basis, often on Sundays, Rebollo would collect customer names per request by his buyers and download them onto his personal thumb drive using that one computer in the office, according to the documents. Rebollo might specifically collect names of people who recently declined an offer of a loan by Countrywide, for example.

Over a two-year period, Rebollo estimated he downloaded approximately 20,000 customer profiles each week and sold files with that many names for $500, according to the affidavit. The profiles included Social Security numbers and other contact details about the people. He typically would e-mail the data in Excel spreadsheets to his buyers, often using computers at Kinko's copying and business center stores.

Countrywide's owner, Bank of America, has not responded to a request for information about the type of security it employs to prevent this type of theft. According to a statement from the FBI last week, Countrywide said it is analyzing the stolen data to determine whether any customer identities have been compromised. If they have, the company said it will notify the customers, according to the FBI statement.

While it's not clear what type of security Countrywide employs that disables the use of thumb drives, it may use software that includes an agent on all computers that IT administrators can set to control how each port on the computer can be used. Such products can allow administrators to set rules that allow certain employees to access certain ports, or set rules that define what types of files can be copied to certain ports, said Pat Clawson, chairman and CEO of Lumension Security, a company that sells such software. If this is the method Countrywide uses, its administrators may have accidentally failed to install the agent on the computer that Rebollo discovered.

But that type of vulnerability can be avoided, Clawson said. Companies should have policies that require any device that touches the network to be checked. "No matter if that device is a laptop or a handheld, it has to go through some sort of scanning process to find if they have all the requisite materials before you allow them to access the network. It's clear that didn't happen here," he said.

Many companies that handle sensitive data also have systems that enforce encryption rules and prevent most workers from copying sensitive data, Clawson noted.

The IDG News Service is a Network World affiliate.