Atlanta-based SunTrust says data on 1.5 million customers tapped

After announcing an “inappropriate” access of data, SunTrust offered to pay for credit monitoring and identity protection for its customers. AJC File Photo.

After announcing an “inappropriate” access of data, SunTrust offered to pay for credit monitoring and identity protection for its customers. AJC File Photo.

Atlanta-based SunTrust on Friday said it feared that a now-former employee had wrongly accessed basic information about 1.5 million customers.

The company became aware in late February that the person – an employee at the time – had access to confidential information including names, addresses, phone numbers and some account balances. However, the pool of data that had been accessed did not include what the company called “personally identifying information,” like account and Social Security numbers, user passwords and driver’s license material.

The company referred to the incident as “a potential theft,” and said that the employee in question may have tried to share the data with “a criminal third party.”

SunTrust said the employee subsequently left the company. SunTrust declined to name the employee, when he or she departed and would not say if the employee quit or was fired. SunTrust would not say if the employee was based in Atlanta.

The company said it is cooperating with authorities, but declined to offer specifics.

SunTrust's announcement comes after several years of high-profile data breaches, in which outside hackers used the Internet to electronically reach into a company's computer servers and pilfer data. Last September, for example, Atlanta-based Equifax revealed a massive data breach in which personal information of more than 145 million Americans was stolen.

A number of other huge breaches have also been reported during the past several years, include one in 2014 at Atlanta-based Home Depot.

But in this case, the employee in question had direct access to SunTrust facilities. So while it is possible that the data was printed out, the incident did not involve someone outside the company, said spokeswoman Sue Mallino. "That is why we are not using the word data breach. It was a potential theft of client information."

However, she said that SunTrust has “no evidence that any information left the company via flash drive or computer. Our concern is that we learned late last week that information may have been printed and taken.”

In other words, it was an inside job, said Humayun Zafar, a professor in information security at Kennesaw State University.

Sometimes that kind of leak is “non-malicious,” he said: If an employee accidentally clicks on the wrong leak or gets snagged in a hacker’s “phishing” expedition.

But sometimes, it is intended.

And while hacking sparks a public fury of attention, tens of thousands of employees have daily access to vital information.

“Insider threats in general are the most common form of breaches,” Zafar said.

Either inside or outside, there's a lesson here, said Beth Stephens, senior director of public policy at Georgia Watch.

“These data breaches have shown us that, as consumers, we cannot assume that our information is completely protected by businesses that provide us with services,” she said. “The best thing consumers can do is put a freeze on their credit.”

A new state law makes credit freezes free.

SunTrust handles accounts for about 4.4 million households, Mallino said.

SunTrust said it will notify all the clients whose information might have been stolen and will offer to pay for its consumer customers to have identity protection, credit monitoring and other services from Experian, a company like Equifax that offers consumer credit reporting.

The company declined to say how much those services will cost. But during the conference call, company Chief Executive Bill Rogers said the expense could be absorbed in its “normal course of business,” Bloomberg reported.


The SunTrust response:

After announcing the potential data theft, SunTrust offered to pay for any of its customers to receive "IDnotify" from credit reporting company Experian. The service includes:

— Experian 1B credit monitoring

— Annual Experian credit report

— Identify theft insurance

— Assistance in restoring identity

— Call center support

— Monitoring for the “Dark Web”

Source: SunTrust