UJA-Federation is studying recommendations from a security consultant’s review of its donor transaction processing system after an employee’s arrest last week in a $2 million fraud-ring bust. But the agency is confident existing security measures are stringent and the recommendations may not have prevented the fraud by a trusted employee who was authorized to access financial data but allegedly betrayed that trust.
Manhattan District Attorney Cyrus Vance, Jr., has accused the employee, Tracy Nelson, 24, who worked as an operations, production and reporting representative at the charity, with stealing personal information such as credit card and checking account numbers in a scheme that allegedly involved 55 people. Nelson faces 14 counts of felony identity theft and various charges of conspiracy and grand larceny.
Major donors who were targeted by the scheme include Ira Rennert, who is estimated to be worth $5.9 billion and NBA Commissioner David Stern.
Nelson, a three-year employee, was suspended in August from the 95-year-old agency, which is the second largest philanthropic network in North America. At the time she was under investigation and has since been fired. The DA said Nelson was one of four insiders in the scheme who collected data, while the others were buyers, middlemen and recruiters, check-makers and account verifiers, some of them working at banks. Nelson is the only defendant connected to UJA-Federation.
Vance said banks and other lenders absorbed all the losses, including JPMorgan Chase, TD Bank, Citibank, American Express and Discover.
“Our donor contributions are completely intact,” said UJA-Federation spokeswoman Leslie Lichter. “The funds will continue to go to help support our mission, help people in need and engage the Jewish community.”
The agency’s chief financial officer, Irvin Rosenthal, said in an interview Tuesday that Nelson, like all employees, was subject to an extensive screening by an outside agency.
“The background check came back clean,” said Rosenthal. “The DA’s office and the security consultant we brought in to look at procedures told us that if a person has legitimate access to information in the course of their duties and wants to misuse that information, there is no way you can assure yourself 100 percent and prevent it.”
In announcing the bust after an 18-month investigation, Vance said “No organization or individual is immune to the threat of cybercrime. From ATM skimmers, to waiters stealing credit card info, to the exploitation of systemic weaknesses in bank systems, we are attacking cybercrime and identity theft head on. Today’s indictment reveals another tool of organized identity thieves — insiders who betray their employers and prey on clients.”
The New York Police Department was alerted to the scheme because it created a history of unusual transactions. “The checks didn’t bounce but they left a bread-crumb trail right back to the suspects,” said Commissioner Raymond Kelly.
UJA-Federation general counsel Ellen Zimmerman said there was no breach of the agency’s computer systems to outsiders. “There was no hacking,” she said. “This was plain, old-fashioned carrying out a piece of paper.”
Vance said Nelson’s duties included the processing of donations made to UJA by both check and credit card.
She was indicted on Dec. 16 alongside the man with whom she lived, Roberto Millar, an Audi car salesman, and pleaded not guilty. She was ordered held without bail.
In addition to the charity agency, the thieves allegedly took data from Millar’s employer, Open Road-Audi of Brooklyn and from Akam Associates, a residential property management firm in Manhattan.
According to the DA, some of the people arrested were members of the Bloods, Crips and Outlaws gangs and several were charged with grand larceny and identity theft.
Since last May, the gang cashed money or transferred it to their own bank accounts and reportedly bought electronics, expensive clothing and luxury cars, according to the New York Times. Three tellers at JP Morgan Chase Bank knowingly ignored suspicious transactions or stole information from customers’ accounts, according to reports.
UJA-Federation collects annual donations from about 60,000 contributors. Lichter, the agency’s spokeswoman, said that while an outside evaluation determined that existing security procedures were sound, the agency was studying its consultant’s recommendations for strengthening them. The officials declined to specify the recommendations.
In a statement posted on its website and also sent to donors, UJA-Federation said “we deeply regret that some donors have had their credit card or checking account numbers improperly shared through this criminal activity, as well as the worry that it has caused.”