ATLANTA - Personal account data on nearly 680,000 customers of four banks may have been fraudulently obtained by a New Jersey man who made millions selling it to law firms and debt collectors, authorities say.
Detective Capt. Frank Lomia of the Hackensack Police Department in New Jersey said the scheme operated over a four-year period and affects customers at Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp.
Most are in the Northeast, and it doesn't appear that the information was used for identity theft or account fraud, Lomia said.
Wachovia said it has notified 48,000 customers, and Bank of America said it has alerted 60,000. Neither has released state-by-state breakdowns.
Both banks are paying for credit-monitoring services for affected customers.
It's the latest case highlighting the vulnerability of consumer data, even though New Jersey investigators don't believe identity theft was the goal this time. Fraudulent use or theft of data at Alpharetta, Ga.-based ChoicePoint, LexisNexis and DSW shoe stores, among others, has brought new attention to how consumer information is stored.
Hackensack police arrested Orazio Lembo, the alleged mastermind behind the New Jersey scheme, last month. They say he started a second company, Espresso Unlimited in New York, and was soliciting business from law firms and collection agencies there with a promise he could locate assets of people who were delinquent on debts.
That company was in operation about a month before his arrest. Lomia said it doesn't appear that Lembo, 35, made any headway in New York.
"It was a service that was too unbelievable," Lomia said. "It was cheap, it was fast, and it was a lot of information. And if you were willing to take a chance, you went to him."
In the New Jersey case, police said Lembo persuaded at least seven New Jersey employees of the four banks and one employee of the New Jersey Department of Labor to work with him.
Investigators said the alleged scheme worked this way:
Lembo ran a company called DRL Associates - which promised to conduct background checks and find people and their financial assets - from his Hackensack high-rise apartment.
The law firms and debt collection agencies gave Lembo lists of people they claimed were delinquent on their bills and hired his company to get their employment and asset information. The lists included those people's names, addresses and Social Security numbers. Lembo received $50 to $150 per person.
In New Jersey, such companies - known as "skip-trace" businesses - have to be licensed, and a person's employment record and bank account information can only be obtained through a court order.
But because of previous convictions, including one for bribery in 1998, Lembo couldn't get a license, authorities said. He paid the seven bank employees - most of whom were assistant branch managers - to search their banks' databases to see whether any of the names and Social Security numbers matched their customer records, investigators believe.
The bank employees, who had authorization to check customer records because it was a necessary part of their jobs, were paid $10 for every name they looked up. Those bank employees were looking at as many as 400 to 500 customer accounts a day, far more than the 30 or 40 a bank branch manager would typically look at in a normal business day, investigators said.
Authorities say Lembo made at least $2.5 million, while the bank workers pocketed amounts in the thousands. Lembo, who was arrested April 28, is charged with one count of racketeering and eight counts of disclosing information that he wasn't entitled to have from a computer database. He could receive 130 years in prison if convicted, as well as $1.4 million in fines.
The bank employees are charged with 10 counts each of commercial bribery, conspiracy to commit commercial bribery and disclosing data from a computer database. They each could receive 40 years in prison and $350,000 in fines.
The New Jersey Labor Department employee could face the same charges for allegedly funneling work records to Lembo, plus an additional charge of official misconduct. That employee could get up to 40 years in prison and $450,000 in fines.
Police are investigating the 45 New Jersey law firms and collection agencies that used Lembo's service to see whether they knew it was unlicensed. The scheme was uncovered during a probe of a residential burglary involving stolen checks made out to and endorsed by Lembo's company.
Privacy advocates say it's troubling that the scheme went on for four years without detection, noting that big financial institutions say they have numerous safeguards.
Bank of America and Wachovia say their employees undergo rigorous background checks and have to attend mandatory privacy and ethics training each year. Bank of America terminated one employee and Wachovia two after the scheme was revealed.
"Where's the audit trail, where's the supervision of these individuals?" said Beth Givens, director of the Privacy Rights Clearinghouse. "Something as time-consuming as looking up 400 names a day should have triggered a red flag for managers who supervise those individuals."
Spokeswomen for both banks said safeguards are in place but declined to detail them.