Manual Data Transfer Results in Significant Data Breach for US Bank Wells Fargo
In continuation of our recent blog series detailing high profile data breaches, this post examines the New York Times reported breach of a significant amount of personal and financial data by lawyers acting for Wells Fargo, a large International American bank.
When legal counsel for Gary Sinderbrand, a former Wells Fargo employee subpoenaed the bank as part of a defamation case against a bank employee, they anticipated receiving a file containing emails and documents pertaining to the subject of the case. Wells Fargo’s lawyers however accidentally provided Mr. Sinderbrand’s legal team with a CD containing information far in excess of their request. The 1.4 gigabyte file included multiple excel spreadsheets containing copious amounts of personally identifiable data and confidential financial information in relation to tens of thousands of the bank’s wealthiest clients. In addition, the CD included personnel files in relation to a large number of bank employees including their personal compensation, performance and client lists.
So how could this significant data breach have been avoided?
Danielle Cussen, MD of Wizuda indicates “this data breach, like most, was essentially a case of human error however if the correct data transfer policies and procedures were in place, the opportunity for the error to occur would have been greatly reduced. Many organisations have never implemented basic safeguards in relation to how the personal data they hold can be transferred, by whom and for what purpose. In the case of an institution like Wells Fargo, where data transfers are happening on a regular basis, it is likely that enforced data transfer policies would have prohibited the use of manual transfers of any type which obviously would have included the use of CD’s.
In Europe, Cussen suggests the incoming GDPR has seen many organisations replace manual transfer process with technical solutions like Wizuda’s Compliant Data Transfer and File Share software products. “Our client companies experience enormous assurances from implementing our data transfer solutions as they provide complete visibility of their organisation’s data transfer activities. Our solution also encrypts data in transit and at rest which significantly reduces the risk of a data breach. In addition, the presence of built in workflow authorisations means accidents like sharing the incorrect file are eliminated, if not dramatically reduced as pre-approval is required before any transfer is made.”
Traditionally executives have relied on hardware like CD’s, USB’s and hard drives to transfer large files however Cussen stresses that technology has advanced significantly and “secure file sharing solutions such as Wizuda’s Compliant File Share software places no restrictions on the file sizes which can be shared.”
If Wells Fargo had used a technical transfer solution, it would have benefited from further governance controls such as a full audit trail to identify if, where, when, how and what type of transfer had occurred. Cussen continues to explain “had Wells Fargo’s lawyer’s anonymised, pseudonymised and/or minimised the personal or commercially sensitive information using a solution like Wizuda, the anonymity of the data subjects would have been protected while still satisfying the requirements set forth in the subpoena. In this instance, even if the incorrect data had been sent, it would not have constituted a breach as essentially the receiver would not be able to personally identify any of the clients or employees referenced.”
If you would like to learn more about how Wizuda can help you avoid data transfer breaches, please contact us today.