In 2005, a massive security breach at four major U.S. banks, including Wachovia and Bank of America, shook consumer confidence in an industry built on trust. But this wasn’t a high-tech cyberattack. It was an inside job, driven by profit and enabled by weak internal safeguards. The breach revealed a far more unsettling truth: sometimes, the people trusted to protect our financial information are the very ones selling it.
An Inside Job With a Million-Dollar Payout
The breach affected nearly 700,000 customers across Wachovia, Bank of America, Commerce Bancorp, and PNC. Employees at these banks sold customer account data, including account numbers and balances, to a man named Orazio Lembo. He ran a fake collection agency called DRL Associates. Lembo paid bank insiders $10 per name, then flipped the stolen information to over 40 law firms and debt collectors.
Authorities estimated Lembo made millions over four years. His informants, regular employees working behind the counter, each walked away with tens of thousands.
It wasn’t until April 28, 2005, that the operation began to unravel. Hackensack, New Jersey police arrested nine people, including Lembo and seven bank employees. The breach would eventually grow to ten arrests and 676,000 affected individuals. A number that likely underrepresents the scale, given that many had multiple accounts.
Banks Respond But Confidence Is Harder to Restore
Both Wachovia and Bank of America quickly moved into damage control mode. Bank of America alerted 60,000 customers; Wachovia notified 48,000. Credit monitoring services were offered. Internal investigations were launched. Public statements were made.
There was no walking this one back.
At the time of disclosure, neither bank found evidence the stolen data had been used for fraud or identity theft. That didn’t stop the anxiety for customers who suddenly learned their personal financial data had been passed around like merchandise.
Notably, none of the affected account holders were located in California, which may explain why the breach, despite its scope, didn’t lead to immediate national legislative change. California had some of the strictest disclosure laws at the time. Breaches affecting their residents tended to make bigger waves.
Who’s Protecting the Gate?
This incident wasn’t just about individual bad actors. It exposed systemic vulnerabilities in the banking industry. Flaws that made it possible for low-level employees to quietly sell off sensitive data for years.
While external threats like hackers and cybercriminals often grab headlines, internal breaches are harder to detect and even harder to prevent. They don’t require technical skills. Just access and opportunity.
Even worse, Lembo didn’t target underground networks. He sold the stolen data to legitimate law firms and collectors, suggesting a market ready to overlook ethical red flags if the price was right.
Even though using the stolen data is considered illegal, there is no documentation of formal punishment or regulatory action against the companies that bought the data in the context of this case.
A Pattern Begins to Emerge
The Wachovia and Bank of America breach was part of a larger trend in the mid-2000s. Around this time, other major companies, like ChoicePoint and LexisNexis, also reported breaches involving tens of thousands of consumer records. The Wachovia case helped reinforce what many feared: identity theft was evolving into an organized industry, and insiders were becoming an essential part of the equation.
Security Isn’t Just About Firewalls
When people think about protecting their money, they picture strong passwords, encrypted networks, and fraud alerts. But in this case, none of those would have helped. What went wrong wasn’t digital. It was human.
This breach is a sobering reminder that trust is not a security measure. It must be backed by clear protocols, strong internal oversight, and real accountability. If the financial industry doesn’t protect consumers from threats within, then no vault, firewall, or credit alert will ever be enough.
📌 Changelog
- June 7, 2025: Article re-written to add additional information.
- May 17, 2015: Original article posted.
