Shostack + Friends Blog Archive


Lasalle Bank, 2 million mortgagees, SSNs, acct #s, "lost" tape

From Crain’s Chicago Business:

LaSalle Bank Corp. says a computer tape bearing confidential information on about 2 million residential mortgage customers disappeared last month as it was being transported to a consumer credit company in Texas.
The Chicago bank has alerted law enforcement authorities and is also monitoring transactions closely to detect any unusual or fraudulent activity affecting its customers. The tape contained customers’ names, account numbers, payment histories and Social Security information.
A package containing the tape disappeared sometime after Nov. 18, when it was picked up by DHL from LaSalle’s data center in Chicago. It never arrived at its intended destination: an Experian credit bureau office in Allen, Texas.

This latest data loss bears a remarkable similarity to one suffered by Citigroup, which Adam reported on in June.
The Citi incident, claims Stephen Spoonamore, was an inside job involving 15-20 people. This claim has been picked up by Bruce Schneier, and will now garner much infosec community attention.
If Spoonamore is correct, and I hasten to add that his assertions appear in a trade mag and are not sourced or corroborated, the Lasalle Bank incident becomes even more interesting, since very similar unencrypted data just happen to have been on their way from a large bank to Experian’s data center in Allen, Texas, and just happen to have gone missing.
If there is foul play in the Lasalle incident, then either the conspiracy is broader than heretofore suspected, since Lasalle shipped via DHL, whereas Citigroup used UPS, or the shipping firms are not to blame (since they differ across cases), or we have more than one group of bad actors at work here. None of the above is particularly good news for any of the jillion or so people who have a loan in the U.S.
Since the “if” in the preceding paragraph is a rather big one, I’d like to see Spoonamore’s assertion concerning the fact pattern subjected to a good deal of scrutiny. If it holds water, now that Lasalle has been hit this gets very, very interesting.
I sure hope Rudolph is getting plenty of sleep, because when Santa visits Allen, Texas it seems that some extra care will be needed to ensure that the presents actually show up.
December 19 Update: Bob Sullivan notices the similarity between this and the Citibank incident, too. Now start making calls, Bob. I bet Spoonamore’s number is listed. :^)
A quick note — Lasalle Bank is a subsidiary of ABN Amro. Since the latter is better known outside of Chicago, reports elsewhere may use the ABN Amro name.

3 comments on "Lasalle Bank, 2 million mortgagees, SSNs, acct #s, "lost" tape"

  • Sighting of near-extinct beast – the profitable crypto attacker

    Regular readers know that I frequently stress that many threats are unvalidated in that they derive from a textbook or a security salesman’s hyperactive imagination. So it behoves to collect data on what are validated threats. In what might be a first …

  • Iang says:

    I see that trackbacks are stuffed – another casualty of the SSL blog 🙁
    It is interesting to speculate on the cycle here. If we assume that these inside jobs have been going on for a long time, then part of their cover has been the lack of disclosure. Without the disinfectant of sunlight, it is possible to build up large and complex attacks within the corporations, and construct plausible reasons for them like “the other guy lost it.” As everyone is encouraged to write it off, the finger-pointing never gets checked.
    Only after the corporates were forced to disclose did they find themselves bringing in external experts who then discovered the inside theft pattern. Anybody on the inside would already have been ‘got at’ and was already aligned to suppression of the problem.
    If so, we might expect to see a rash of these cases, where the disclosure tips the balance and opens up a previously dark cesspit. This of course doesn’t make the problem go away, it just catches a subset who weren’t adept at the shift in threat (to them) environment.

  • Patrick says:

    The bloggers over at NotSoCommonCents have talked about another one of LaSalle’s recent goofs. Check it out:

Comments are closed.