American bank Fifth Third has come under fire for sending customers a cryptic breach disclosure letter judged to be “vague and deceptive” by a consumer group.
Fifth Third wrote to customers after discovering that at least two of its employees had stolen customer information and provided it to a third party. Data exposed included names, Social Security numbers, addresses, phone numbers, dates of birth, mothers’ maiden names, driver’s license information, and account numbers.
The thefts began in the summer of 2018, and those responsible have since been terminated by the company. Although it hasn’t been confirmed that the employees who pulled this inside job later sold the stolen data on the dark web, it’s only logical to conclude that they stood to profit in some way from their high-risk actions.
The bank, which is headquartered in Cincinnati, Ohio, at Fifth Third Center, has not specified how many customers were impacted by the incident or how many former employees were fired for passing out customers’ personal data.
In a written statement, Fifth Third said: “We have notified the limited number of customers who may be impacted. We will provide identity theft monitoring to them at no cost.”
Jack Gillis, executive director of the Washington, DC–based non-profit consumer advocate, said: “Fifth Third is only telling half the story—it’s vague and deceptive to customers because it’s not just their Fifth Third accounts that will be impacted.”
A breach notification letter sent to select consumers which reassured them that the bank had “not detected any fraudulent activity on your accounts” was criticized by Gillis as misleading. He pointed out that whoever had access to the stolen data could misuse it in ways that wouldn’t be detected by the bank.
The illicitly obtained personal data, which Gillis said could now be on sale on the dark web, could be purchased by criminals and used to set up credit accounts with banks other than Fifth Third. Such accounts could be used to run up fraudulent charges that wouldn’t be detected until they came on the radar of credit reporting agencies.
Source: Infosecurity Magazine