Former Countrywide Employee Arrested For Stealing, Selling Customer Identities

The FBI has announced that a former Countrywide employee and his accomplice were arrested on charges related to “illegal access of computers containing personal information,” and “illegal sale of the data.” A criminal complaint filed last Friday alleges that one of the men, Rene L. Rebollo Jr., a senior financial analyst for Countrywide Home Loan’s subprime mortgage division (who was let go in July), had been harvesting data from Countrywide’s computers for the past two years — downloading and storing the information on personal flash drives.

Rebollo would then sell these “leads” to another man,Wahid Siddiqi, for $500 per batch. The FBI says that Mr. Rebollo admitted that he profited approximately $50,000 to $70,000 from selling the data, which included the Social Security numbers of as many as 2 million mortgage applicants.

The LA Times says:

Rebollo would copy information on about 20,000 customers at a time on Sunday nights by using a [Countrywide] computer that did not have the same security features that other machines in the office had, according to the affidavit by FBI Special Agent Richard P. Ryan.

At that rate, the U.S. attorney’s office said, Rebollo would have compromised up to 2 million customer profiles for about 2.5 cents each — an astonishingly small amount considering the importance of the material. Mortgage leads are among the most expensive for sale because of the potential payoffs to intermediaries when loans are made.

To top it off, not only was this guy selling his customers SSNs, he wasn’t even very good at it, said Beth Givens, director of the Privacy Rights Clearinghouse:

“This guy obviously didn’t do his homework. He doesn’t know the value of these on the black market,” she said.


Countrywide insider stole mortgage applicants’ data, FBI says
[LA Times](Thanks, Alison!)
(Photo: So Cal Metro )

Comments

Edit Your Comment

  1. mmstk101 says:

    Much like Countrywide in general, he just didn’t understand the true value of money.

  2. ThinkPink says:

    Once again, the rightful owners of the Golden Poo.

  3. snoop-blog says:

    I hope he serves at least 20 years, but we know he won’t even get sentenced to 10 probably. He’ll roll on someone and only have to pay fines I bet.

  4. JN2 says:

    I’m in the wrong business.

    How much are these identities and SSN’s worth? I’ll sell mine and my kids to someone for a tank of unleaded.

  5. SkokieGuy says:

    Most businesses used to require two signatures on a check, to reduce opportunities for fraud. It seems anyone can access mass financial data with a few mousclicks.

    Perhaps database access needs controls requiring multiple person’s sign-ins? Sort of like the digital equivalent of a safety deposit box requiring two keys?

    This wouldn’t prevent theft, but perhaps eliminate the single rogue employee kind of theft by requiring collusion between multiple employees for data breaches to occur.

  6. savvy999 says:

    Countrywide– taking your wallet, and then stabbing you in the back after you leave. Nice.

  7. bohemian says:

    Please please please make an example out of this jerk.

    One of the best deterrents against this kind of behavior is fear of prison because these people actually have something to lose. Thinking they won’t get caught or will get some easy punishment encourages this.

  8. Pro-Pain says:

    This is just sickening. Death penalty. That’ll change this type of fraud FAST. Start killing these people, seriously…

  9. moore850 says:

    @Pro-Pain: I’d prefer they serve life in prison and pay giant fines, so their own fines pay for their prison stay. Taking their money scares these people more than death.

  10. Ein2015 says:

    @moore850: I guarantee you they’ve taken his money.

  11. RabbitDinner says:

    @bohemian: I don’t want my comment to be confused for elitism or racism, but it’s true. This demographic actually has something to use, and for this kind of people, fear of prison is actually a good deterrent. Even any legitimate assets you may have had-stocks, bonds, etc-if you have a spouse, say goodbye to that, and your reputation, and any hope of getting a job back in your industry once you’re out. Criminal-criminals, don’t have nearly as much to lose in terms of livelihood. All these thugs deserve time in a pound-me-in-the-ass prison, let the guy who held up the convenience store with a knife out early, and lock up all the real criminals.

  12. chucklebuck says:

    The article doesn’t mention anything about what it plans to do for people who’s data was compromised, so I suppose the answer is “nothing”?

  13. ChootinDaChit says:

    FYI, article title says “Countywide”, not “Countrywide”. I got confused at first.

    This guy is an idiot, and deserves every second of time he’ll be spending in the federal pen.

  14. snoop-blog says:

    @ChootinDaChit: Wow the employee was one county wide? Jeez america really is the fattest nation…

  15. @RabbitDinner: @bohemian:

    I’m with you. Prison time should be a minimum, and I don’t mean federal “minimum security” either. Put them in a real prison. Fines mean nothing to these people, they just pay them and move on to the next scam. There has to be a greater penalty for such egregious behavior.

  16. RabbitDinner says:

    @IamNotToddDavis: I’m all for some “scared straight” type warnings. Go to a *real* prison and be someone’s bitch for a month. Then we’ll see how much white collar crime happens

  17. latemodel says:

    Dont worry, according to the FBI,the most common source of personal info by far is your local hospital computer system. Hospitals jump through hoops to keep your med data safe because of HIPAA fines, but your basic personal data is often available at any terminal, by anyone.

  18. Imaginary_Friend says:

    Situations like this are why no consumer’s private information is ever really safe. Congress should immediately enact legislation to give every citizen the right to freeze their credit reports without fee and to unfreeze them, when necessary, an infinite amount of times, also without fee.

    Then they need to begin a complete overhaul of the entire loan and credit industry; start kicking butt and taking names. Obviously, these industries can’t be trusted to handle things themselves.

  19. johnva says:

    @Imaginary_Friend: I think we as members of the public should also have access to all our own credit reports and scores, an unlimited number of times, on demand. There is absolutely no way it’s reasonable for them to charge you money to access your own report. The credit reporting agencies make plenty of money selling information they collect about you to other people. They don’t need a further revenue source from people accessing their own reports: that should be a regulated cost of doing business for them.

  20. Consumerist-Moderator-Roz says:

    @ChootinDaChit: Please email spelling/grammar mistakes to the editor. Don’t post them in comments. Read the comment code.

  21. pal003 says:

    Yes I would like to see companies NOT use SSN for identification purposes. Why does every CSR at a utility company need to verify my account with my SSN?

    I am also concerned to learn that every CSR at Bank of America can see my full SSN on my account every time I call with a question. Why not just a partial SSN or some other identifier?

    Attention Congress – stop this abuse of our personal information!

  22. @pal003: Congress: “We don’t represent you, we represent the people who lobby us and buy us nice things. Maybe one day you can get sweetheart deals to, if you become a member of congress. If not, go jump in a lake.”

    The moral of the story is: don’t wait for congress to come save you. Place fraud alerts, credit freezes, etc. if you are on this list and pro-actively check your credit files. The best thing Congress can do is to stop making things worse.

  23. Kevin says:

    I find it hard to believe that he’s been doing for the past two years b/c just before I was laid-off in August-07 from a corporate office in West Hills, tech support pushed out an update to disable all outgoing data streams to all ports except Ethernet on all company computers.

    I remember it because it was a big deal since the department I was in, training, needs access to USB drives for exporting and transporting docs. Their response: “Deal with it”.

  24. MPHinPgh says:

    So far, I agree with just about every comment here, but Countrywide’s IT department needs a flogging on this one. The guy in the story DL’ed the stuff to a FLASH DRIVE??????

    Really??? Most financial institutions I’ve worked with (I don IT consulting work) disable the USB drives in BIOS, or they have monitoring SW (kinda like AV software) that blocks access to removable media of all types.

    What that tells me is this is the only guy who got caught _so far_. My guess is without physical data controls, there will be more of these stories to come.

  25. chiieddy says:

    As someone who’s mortgage was sold to these idiots, it would have been nice to hear it from them and not the Consumerist. kthanxbye :P

  26. The_IT_Crone says:

    *sigh* Free credit checks I hope?

  27. LAbattlezone says:

    As one of the recipients of the “Dear —, We are so sorry your personal information was stolen by our employee….” from Countrywide here is what you get “two years of credit monitoring” Whooopiiiiiieeeeee. That’s not enough! It is time for them to pay for failing to monitor both the sensitive information and lack of background checks on their employees who have access to it. If he were working in a sensitive area (key word here is sensitive area) within the law enforcement community he would have to pass a polygraph, submit to bank account audits and give the department an audit of his assets yearly.

    Sometimes the only way for organizations to understand their responsibility is to hurt them in the bottom line or put them out of business.

  28. actuatedpoodle says:

    Oh yes, this was the institution that sold Senator Chris Dodd (D) his sweetheart deal to look the other way on a few things way back when…