SunTrust Banks said last week that a former employee may have downloaded the information of 1.5 million clients in an attempt to share the data with a third-party.
The stolen information likely included names, addresses, phone numbers and account balances, according to SunTrust’s release. But it appears that personally identifying information like social security numbers, account numbers, PINs, user IDs, driver’s license information, and passwords were not taken.
SunTrust Chief Executive Officer William Rogers disclosed the incident during a post-earnings call with analysts on Friday, Reuters reports. Rogers said the download attempt occurred six to eight weeks ago, and also said that no significant fraudulent activity was identified.
SunTrust has reportedly declined to disclose both the location of the branch where the employee attempted to steal data, and the identity of the “criminal” third-party with which the employee was trying to connect.
It appears as if SunTrust and its customers may have dodged a bullet in this case, as the company believes the stolen info never left the bank. Despite this, SunTrust is still offering a free identity protection service to its customers for free “on an ongoing basis.” SunTrust clients can enroll on the bank’s website.
Breach, Not A Breach — Does It Matter?
Rogers also claimed this was not a data breach, “adding the employee was not authorized to get that level of information,” as Reuters noted. It’s unclear, however, if “that level of information” is referring to the names and account balances, or the other information that wasn’t accessed.
There’s been a bit of a debate recently on what actually constitutes a data breach, but clients won’t exactly feel more secure if their information is leaked just because a “breach” doesn’t meet some established definition. This incident also illustrates how it can be tough to account for the human element — a malicious actor within the system.
SunTrust said it would be notifying customers who may have been affected by the incident.