ICO breaks silence on Bank of America fraud case

Data regulator has maintained a 'no comment' policy for months

ICO breaks silence on Bank of America fraud case

A loophole in the law means one CIO, who lost £400,000 to a scam, is struggling to get his case heard.

Last year we wrote about Wayne Johncock, former CIO at Centrica and founder of Super Learning Series, who - with his wife Nicky - had fallen victim to a sophisticated scam run from inside Bank of America, seemingly without the corporation's knowledge.

Rajesh Ghedia, an internal project manager, met the Johncocks at a Christmas party in 2018, when he claimed to hold a senior trading position in the bank. He pulled the same scam on multiple people before being caught, and is now in jail. Wayne has only got back a fraction of the money he lost.

However, it isn't just about the money. For years now, Wayne has been after one thing above all others: justice against Bank of America, for what he believes is its liability for allowing such a scam to be pulled using its internal systems.

The case is complex, involving both traditional crime (theft) and a cyber element (misuse of personal data). While the former closed with Ghedia's jailing, the latter - Wayne says - remains open.

His position is that because his data (passport scans, etc) was taken by the scammer and stored on a Bank of America-issued laptop, the ICO and/or City of London Police (CoLP) should pursue the company for a breach of the GDPR and Data Protection Act.

When I wrote the first article on the topic, I reached out to both the ICO and CoLP, and found a grey area: the ICO wouldn't pursue further because criminal activity was involved, and maintained Ghedia's circumventing of the controls at BofA should have been picked up in the police investigation. The police didn't want to be further involved because it was a data issue and was for the ICO, who the CoLP stressed have powers of prosecution themselves.

Data protection law as it relates to the case is unclear, and we kept trying to contact the ICO to clear the matter up. It took several months, but we - working with Wayne - finally received a response. A spokesperson said:

"There's no evidence...to suggest that BofA don't have adequate security around the personal data they are responsible for [(emphasis ours)]. Ultimately they were not responsible for [Wayne's] information because [he was] never a customer of theirs and so it wasn't up to them to keep [his] information safe."

This response makes a distinction between customer data and personal data. While the two terms tend to be used interchangeably when discussing data protection, legally no such separation exists in either the GDPR or British data protection law. We confirmed this with the ICO separately, using the regulator's live chat service.

Image
Figure image
Description

We also raised a question about Ghedia's use of his Bank of America email, which - as a VP at the company - he leveraged to defraud people. Wayne contends this should have triggered alerts in the bank's systems. The ICO disagreed.

According to the same spokesperson, the regulator's position is that companies instil employees with a certain level of trust, and "not all emails can be checked and supervised." We're sure this will be comforting for victims of fraud.

Wayne says he is still "baffled" about how Bank of America's cybersecurity team, which numbers more than 3,000 people, can miss such a crime; and equally, how a single external person was the one to advise them of the criminal activities.

The ICO has not responded to further questions on the subject.

Wayne Johncock will be speaking about his experiences, and how to detect and stop insider threats, at the Cybersecurity Festival in May. Click here to secure your free place.