The critical information of over 1.5 million customers of SunTrust Banks may have been breached after a malicious insider illegally gained access and stole the data, which included contact lists, names, address, phone numbers and certain account balances.
The financial company, which is based in Atlanta, provides services regarding investments, mortgages and asset management as well as other financial related services and so sensitive information is continuously being processed. According to Reuters, an attempt to download the data was made between six and eight weeks ago.
Following on from this discovery, SunTrust is offering identity protection free of charge for all current and new customers. The bank has gone on record to state that other sensitive information such as account numbers, PINs, passwords were still protected and had not been breached.
Organizations must prepare for the worst and suspect that every employee could be a potential threat. Insider threats are not a new phenomenon and the Verizon Data Breach Investigation Report found that of all attacks in 2017, 25% were carried out by an insider from the company who had the intention to seek financial gain or cause company damage through espionage. Of course, it is difficult to catch a malicious insider in the act, but organizations can implement security defenses to ensure the data is adequately protected at all times.
The business can introduce extensive privileges to members of staff, with only those given permission able to access the data. Hiring a data protection officer would be beneficial and act as a gatekeeper to the critical information. Under the European General Data Protection Regulation (GDPR), it is mandatory for every enterprise company that does business in Europe to hire a data protection officer (DPO). The DPO will be charged with ensuring the company is following GDPR compliance laws.
Security investment in encryption based solutions like the eperi Gateway are growing throughout the industry as organizations seek to guard their data and meet compliance requirements.