ASSIGNMENT 1: REVIEW OF BUSINESS FRAUD

ABSTRACT
Business fraud is a white-collar crime that is increasing at a rapid pace. One case of business fraud dealt with an information breach within Bank of America’s information system. This breach affected over 300 Bank of America customers. Management failed to provide proper security for their information system and the sensitive information of their customers. The following assignment will give detailed specifics about the case, clarify the classification of this particular fraud, and suggest recommendations that can help prevent this fraud from reoccurring.

ASSIGNMENT 1: Review of Business Fraud On May 24, 2011, an investigation was in process within the Bank of America organization for potential business fraud. A Bank of America employee had manage to copy the personal information of over 300 of the bank’s customers. The security breach allowed the Bank of America employee to communicate the sensitive information of the customers to a ring of scammers. Customer information compromised included the customers’ names, physical addresses, Social Security numbers, contact numbers, checking account numbers, savings account numbers, routing numbers, driver's license numbers, date of births, email addresses, mother's maiden names, PINs and the balances on their accounts. Scammers used this information to start up credit cards and to spend the money available on the customers’ bank accounts. The leaking of the confidential information to scammers resulted in total losses of $10 million. Investigators conducted the arrest of 95 suspects, including the ring of scammers and the former employee. Auditors and management aided in the investigation that involved the Federal Bureau of Investigation. The FBI stated that they believe that the former Bank of America employee and the ring of scammers had gang affiliations.
Bank of America was responsible for reimbursing the customers affected by this data breach. Furthermore, Bank of America closed out the compromised accounts and established new savings and checking accounts for each of these customers. To ensure the protection of their identity, they also offered the victims 2 years of credit monitoring services. Management took a role of caution. They did not disclose any information on how the fraud was committed nor the name of the former Bank of America employee. They did correct the situation with the customer by reimbursing their money and offering the services mentioned above. However, despite their attempts many customers have lost their confidence with the banking institution. Lack of trust led some customers to pursue banking services with another institution. The few that stayed comment they check their accounts up to 3 times a day via online.
The former Bank of America employee participated in a form of computer fraud. The act of him copying the customer information was committing the act of data fraud. Company data was stolen from the company without their knowledge or consent for a fraudulent purpose of spending the victims’ money. Data leakage is the computer fraud and abuse technique that the culprits engaged in. Data leakage is the “unauthorized copying of company data” (Romney & Steinhart, 2012). The data leakage was one of the forms of fraud included in the series of fraudulent activity these scammers were involved in. With the data obtained from the customers, the scammers then participated in the computer fraud and abuse technique of identity theft. Romney/Steinhart describe identity theft as, “assuming someone’s identity, usually for economic gain, by illegally obtaining and using confidential information, such as a Social Security number or a bank account or credit card number” (Romney & Steinhart, 2012). Furthermore, Romney/Steinhart go on to state, “Identity thieves empty bank accounts, apply for credit cards, run up large debts, and take out mortgages and loans” (Romney & Steinhart, 2012). This is exactly what occurred with the stolen data. The series of fraudulent activity began with the former Bank of America committing data fraud and communicating this information with the scammers. The fraud then escalated to identity theft when the scammers use that information to gain access to the victims’ money.
Bank of America has a set of standards that promote a strong internal environment. One control that was in place is a Human Resources standard of performing background checks. To be able to work for a banking institution, employees must first be able to pass a drug test, background check, and a credit check. The former employee was able to get through this screening without raising suspicions. The bank has never had a serious case of data leakage of this extreme so it is evident that the do promote a strong internal environment. This was just an abnormality within the history of company’s information system security. Management responded and handled the situation reasonably.
Several controls could have prevented this data leakage and can prevent future fraudulent activity similar to this one. One method is to create and enforce company policy and procedures regarding the protection of company and customer information. All employees receive a manual regarding the handling of this sensitive information. However, it is all too often never really enforced. Bressler discusses this privacy issue when she states, “Much concern exists regarding identity theft and “dumpster diving” as private information can be revealed in employees’ trashcans leading individuals to purchase paper shredders to protect company data. The question can be asked as to whether the same care will be taken with private digital information and/or the company’s accounting information system data” (Bressler, 2011). It is important that Bank of America makes sure all employees understand their policies about safeguarding such information. Furthermore, enforcement of these policies and procedures are crucial for obtaining employee compliance. Bank of America must actively participate in both activities for this tool to be effective in deterring future fraudulent activity of this kind.
Another tool is a detective control that requires proper monitoring of employees. Systems can keep a log of all system transactions, which includes the copying of company data. Proper monitoring could have caught this culprit when he first copied the first set of customer data. These logs should be reviewed periodically; however, an alert should be set when sensitive data is being copied.
If the company adapts the two tools mentioned earlier to their current set of security measures, they will be better prepared in the case of another data leak. In a bank institution, management should always monitor all employees closely to avoid losses similar to the $10 million loss in this case. Employees have constant access to sensitive information and to cash, which tempts employees to participate in fraudulent activity. Gottschalk and Solli-Saether properly explain this stating, “financial crime is opportunity driven. Opportunity is a flexible characteristic of financial crime and varies depending on the type of criminals involved. Types of financial crime can vary as much as the criminal organizations and criminal businessmen involved. The opportunity emerges when a weakness in a procedure has been discovered. Opportunities appear when a risk exists” . (Gottschalk & Solli-Saether, 2010).
The investigation of this identity theft fraud resulted in the arrest of 95 suspects including the former Bank of America employee. The 95 scammers were all prosecuted for their participation in this scam ring. Future potential scam artist, much like the former Bank of America employee, should be scared to partake in such fraudulent activities due to the punishment of these individuals. In proportion to the $10 million dollar loss to Bank of America, the arrests and prosecution of these 95 scammers can be deemed appropriate. This case should serve as a model on how extensive investigation can lead to the arrest of that many participants. Not only was the former Bank of America employee held responsible, but everybody who was in any involvement with identity theft ring were held responsible as well.
In conclusion, the scammers participated in data fraud by partaking in the computer fraud and abuse technique of data leakage. Identity theft of over 300 Bank of America customers is the end result of the data leakage. Certain steps could have been taken by management to prevent this form of fraudulent activity. Management could have properly notified and enforced all policies and procedures regarding company and customer information. Furthermore, management could have kept a better log of all system transactions. Sensitive data being copied should have been caught and alerted as a possible security threat. The result of this investigation, 95 arrests; is appropriate and will help deter future fraudulent activity of this kind.

CITATIONS
Bressler, L. (2011). Forensic investigation: The importance of accounting information systems.
International Journal of Business, Accounting, and Finance, 5(1), 67-77.
Gottschalk, P., & Solli-Saether, H. (2010). Computer information systems in financial crime investigations. Journal of Computer Information Systems, 41-49.
Lazarus, D. (2011, May 24). Bank of america data leak destroys trust. Los Angeles Times.
Retrieved from http://articles.latimes.com/2011/may/24/business/la-fi-lazarus-20110524
Romney, M., & Steinhart, P. (2012). Accounting information systems. Boston, MA: Pearson
Learning Solutions.