Data Dive

Data Dive, Breaches And Security Blips Edition: KeyBank, Microsoft And Bulgaria 

Date Dive: Starbucks, San Francisco, Rate Caps

As temperatures nationwide heated up, the world of payments and commerce followed suit.  Between the commerce explosion that was the celebration of Prime Day and the blistering rounds of questions various Big Tech reps endured on Capitol Hill, things got and stayed unseasonably warm across the segment last week.

Unfortunately, also adding heat this week was the world of fraudsters and hackers, with a few pretty sizable security blips and glitches.

Starting with…

KeyBank’s Costly Payroll Fraud Problem 

Regional banking force KeyCorp disclosed a massive fraud that could potentially cost as much as $90 million, according to reporting out of CNBC last week.  Details about the fraud are limited and come care of a K8 filing with the SEC that indicates that fraud involved a “business customer” that was discovered “on or about” July 9. According to the filing, the event occurred at the beginning of Q3.

Interlogic Outsourcing is reportedly the customer involved — the Ekhart, Indiana-based firm processes payrolls. The firm has been named in a suit filed by the bank on allegations that Interlogic “fraudulently initiated wire transfers” at a time when CEO Najeeb Khan knew there weren’t sufficient funds to cover the transfers.

An analyst at Baird said the revelations were “unfortunate” but “manageable.”

“While we acknowledge that this isn’t a pretty headline, we believe any weakness beyond 1.5 percent-2 percent is an opportunity to add to positions,” said analyst David George. “Key remains well-positioned for the current environment, given its neutral rate positioning and opportunity to cut costs to the extent rates remain low.”

KeyCorp’s share price took a beating in response to the disclosure — stock price dipped 1.8 percent, and the company lost about $178 million from its market cap.

“The company is working with the appropriate law enforcement authorities in connection with this matter,” KeyCorp said in the filing. The company believes the incident is an isolated one, based on the bank’s “review of the circumstances of the fraudulent activity.”

The company said it will “pursue all available sources” to minimize its losses. The bank is currently working with law enforcement on the issue. It’s a loss for KeyCorp — but by far not the week’s biggest, or most explosive, case of fraud.  No, for that story, one would have to jump across the pond and into the Baltic for the curious case of the country that got hacked.

Bulgaria’s Big Breach 

This week the world got an admission from Bulgaria’s finance minister that a hacker managed to make off with the data of nearly every tax-paying Bulgarian citizen, according to a report by Reuters.

The minister understandably apologized to the country.

The hack reportedly happened at the end of June at Bulgaria’s tax agency, the National Revenue Agency (NRA). Who is behind the hack and why it happened remains unknown, though officials do think it originated outside Bulgaria.  Someone claiming to be a Russian national has already emailed Bulgarian media sources claiming to have access to the information, which includes upwards of 1.1 million personal identification numbers with income — as well as healthcare and social security — information.

Finance Minister Vladislav Goranov said although the information affected millions of people, it was not classified info and would not endanger the financial stability of the country. He also said the hacked data wasn’t detailed enough to offer “substantive conclusions” about anyone’s financial information and that if someone tried to take advantage of the data they “would fall under the impact of Bulgarian law.”

Despite efforts to downplay the attack, however, cybersecurity researcher Vesselin Bontchev, assistant professor at the Bulgarian Academy of Sciences, said the hack was a huge one.

“To the best of my knowledge, this is the first publicly known major data breach in Bulgaria,” he said. “It is safe to say that the personal data of practically the whole Bulgarian adult population has been compromised.”

Bulgarian officials have said they will release more information on the hack as it becomes available.

And finally, back in the U.S. …

Ex-Microsofter Nabbed For Stealing Millions In Digital Currency 

They say crime doesn’t pay — and on a long enough timeline, that is true.  But for former Microsoft engineer Volodymyr Kvashuk, the crime of stealing digital currency was in fact paying millions.

Or, at least, it was until he was caught this week and charged with mail fraud for allegedly stealing millions in digital money from Microsoft, according to the Department of Justice.

Kvashuk was working first as a contractor for Microsoft, and then a full time employee, from August 2016 to June of 2018 — during which time his job was to test the company’s online sales platform.

He did this job, but on the side, he also used his access to steal “currency stored value” (CSV) like gift cards. According to the U.S. Attorney’s Office, he then took that value and resold the currency on the internet. The testing program he was using was apparently not meant for the purchase of items with CSV.

He allegedly used the test accounts to buy the CSV and then unloaded it on internet reseller sites. At first, the amounts were relatively small, ranging in the area of $10,000. But then, the DOJ alleged, he upped his game and started stealing amounts in the millions, using a bitcoin “mixing” service to obfuscate the origin of the money so it wouldn’t be traced back to him.

With his proceeds he reportedly bought a $160,000 Tesla and $1.6 million in lakefront property.  He is accused of putting about $2.8 million in his bank accounts over about 7 months. Investigators at Microsoft approached him in May of 2018, and he was fired a month later.

Kvashuk had a hearing last Friday (July 19).

Mail fraud is punishable with a $250,000 fine and up to two decades in prison. In addition to the DOJ, the case is also being investigated by the U.S. Secret Service and the Internal Revenue Service Criminal Investigation’s Western Area Cyber Crime Unit.

So, what did we learn this week?

Just as there is no such thing as summer vacation in payments and commerce, there is no such thing as summer vacation for fraudsters. If anything, the heat only motivates them to up their ambitions.

Till next week!




Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.