EFX Equifax Inc

Names, addresses, phone numbers and account balances are believed to be included

By Austen Hufford and Christina Rexrode 

This article is being republished as part of our daily reproduction of WSJ.com articles that also appeared in the U.S. print edition of The Wall Street Journal (April 21, 2018).

SunTrust Banks Inc. said an employee may have stolen the information of about 1.5 million customers and provided it to a "criminal third party," the latest example of a potential breach that underscores the vulnerability of consumers' private data.

The Atlanta-based bank on Friday said the employee, who no longer works at SunTrust, attempted to access client information, although it has "not identified significant fraudulent activity" around the accounts involved.

Companies including banks are increasingly contending with data risks from both outside actors and misconduct by company employees. Consumers are already on edge about the security of their data after a massive breach at credit-reporting firm Equifax Inc., where a cyberattack last year exposed the data of 147.9 million U.S. consumers.

SunTrust, which is one of the larger U.S. regional banks by assets, said it became aware in late February that an employee attempted to inappropriately download client information and it began an internal investigation. About a week ago, the bank learned that the employee may have attempted to print the information and share it outside the bank. Chief Executive Bill Rogers said that triggered his decision to disclose the possible breach.

Banks and other companies have disclosed numerous types of data breaches in recent years, though they are often the work of sophisticated, outside hackers. For example, a cybersecurity attack on JPMorgan Chase & Co. in 2014 exposed the information of more than 70 million households, one of the broadest disclosed attacks of its kind against a major financial institution.

But security threats can also come from inside. For example, New York Attorney General Eric Schneiderman has urged banks to rein in their tellers' access to customer data.

SunTrust said it is working with law enforcement. A bank spokeswoman declined to name the former employee or comment on the timing of the departure. She also declined to say where the employee worked within the bank or whether the person had been arrested.

SunTrust said it believes that the exposed information includes names, addresses, phone numbers and account balances. Clients' Social Security numbers, account numbers, passwords and driver's license information weren't affected, it added.

"Ensuring personal information security is fundamental to our purpose as a company of advancing financial well-being," Mr. Rogers said in a statement. "We apologize to clients who may have been affected by this."

SunTrust said that it is notifying customers whose data may have been affected and that it will provide free identity-protection services to all consumer-banking clients.

The company said it would continue monitoring affected accounts for fraudulent activity. Despite the recent issue, Mr. Rogers said the bank's fraud losses in the first quarter were "lower than they've been relative to the recent past."

The CEO described the bank's costs related to the incident as "modest," though the incident could put a cloud of uncertainty around the bank.

SunTrust shares declined 19 cents, or 0.3%, to $66.84 on Friday.

Write to Austen Hufford at austen.hufford@wsj.com and Christina Rexrode at christina.rexrode@wsj.com

(END) Dow Jones Newswires

April 21, 2018 02:47 ET (06:47 GMT)

Copyright (c) 2018 Dow Jones & Company, Inc.