The human cost of cyberfraud
Bank of America insider fraud victim shares his story at Cybersecurity Festival
The human cost of cyberfraud was very much in evidence at the Cybersecurity Festival earlier today, when Wayne Johncock, former CIO of Centrica, and co-founder of an edtech venture shared his experience of being a victim of insider fraud, perpetuated at Bank of America.
Whilst seeking investment for his edtech venture back in 2018, Wayne Johncock had the misfortune to meet Rajesh Ghedia at a party. Ghedia claimed to hold a senior investment role with Bank of America. He was in fact a project manager within the technology team.
Having parted Mr Johncock and others from hundreds of thousands of pounds having convinced them that the money was growing safely in an investment fund, Ghedia was jailed for seven years in 2022.
Computing continues to report on Mr Johncock's efforts to hold Bank of America to account for failing to find the rogue employee in their midst until it was too late for Mr Johncock and a number of others - despite what should have been a lot of red flags.
"I thought I was a person who would never get conned. I was conned hook, line and two sinkers," he says. "This has wiped us out financially, our business and personally."
Bank of America have always refused to comment about just how an organisation in such a highly regulated industry managed to miss the fact that for approximately two years, a rogue employee was operating in plain sight. As Mr Johncock says:
"This is a company who have spent $35 billion over 12 years on their cyber and technology systems. They have an annual budget of a billion dollars and 3000 in their cyber team."
How can an employee like Ghedia possibly have operated for so long?
Mr Johncock wasn't easy to con. Right from the start he seeded emails with words and phrases that should have triggered cybersecurity alerts in the case of something being amiss. Ghedia managed to ensure that emails and other communications were convincingly headed and signed. As the fraud progressed, false statements were cooked up purporting to show Mr Johncock's investment growing nicely.
After the fraud was uncovered, despite Mr Johncock's shock at what had happened, he was comforted to some extent by police involvement, and ultimately by the fact that the man who stole from him was jailed in 2022. We were post GDPR, and Mr Johncock assumed that organisations like the ICO and FCA would be right behind him in efforts to recover the money stolen from him. Not so.
"Bank of America and the police initially told me not to do anything to jeopardise the criminal case, so I hung on for that," he said.
"When I contacted the ICO after he was jailed they said they didn't deal with data breaches where there was criminal activity. The police said they didn't deal with criminality that involved data breaches."
Bank of America's response to Mr Johncock's assertion that the fact that Ghedia managed to evade detection for so long demonstrates negligence has been to argue that there is insufficient evidence to prove it. The company continues to insist that given Mr Johncock was not a customer, it had no legal obligation to protect his data, and crucially, his money.
Part of what made Mr Johncock's testimony at the cybersecurity festival so moving was his acknowledgement that being the victim of a scam like this feels humiliating – especially when you've worked in that field.
"People have got in contact with me to thank me for being brave enough to speak out because as victims of fraud they didn't want to speak up as they felt humiliated. Victims won't speak up. I've been in touch with victims groups and only one in a 1,000 people who commit financial crimes get caught." he said.
Recently, the ICO did comment on Mr Johncock's case to Computing, and confirmed that ‘arguably' there was no distinction between personal and customer data.
Yet that distinction seems to be being leveraged by Bank of America to deny any responsibility for the fraud perpetuated within its operation.
Mr Johncock's campaign, and legal efforts continue.