You read that headline right… it took 20 years to uncover $40 million in fraudulent transactions by a former employee of CBS Employees Federal Credit Union. Well… unfortunately everyone is now a former employee of the credit union because they closed last week after this fraud came to light.
The alleged suspect, Edward Rostohar, worked at the credit union for 30 years. According to authorities, he explained to them how he had been stealing for 20 years, totaling $40 million. He allegedly had been making online payments to himself. And the only reason he was caught was because another employee stumbled across a $35,000 check made out to Rostohar.
There are two questions this raises:
- Why did it take 20 years to discover that $40 million was stolen from the credit union? More information will come out during the investigation, but you have to wonder how he was able to continuously cover his tracks. Were there no control processes in place to prevent Rostohar from submitting invoices or expense reports, approving them, and paying himself? Were there no red flags when payments to one vendor (himself) passed a certain threshold that should have required review?
- Isn’t it ridiculous that he allegedly kept stealing more and more money to reach $40 million?!? That’s just crazy. It reminds me of an all-you-can-eat buffet. There are only so many trips you can make to fill your plate before you say to yourself, “I’m full. I can’t eat another bite.” But no, he kept filling up that plate over and over, year after year. I know, I’m focusing on this aspect of the story too much but it’s actually a warning sign to any company. Once the inside threat finds a loophole in your system, they will return for more.
In response to this theft, the National Credit Union Administration, a federal agency that regulates credit unions, liquidated the credit union and closed its doors. Its assets were assumed by University Credit Union.
This story should be a red flag for every company. Rostohar was a trusted employee for 30 years and was never suspected of embezzling. He had access to applications that allowed him to approve payments to himself. And controls weren’t in place to prevent this type of activity from happening.
Find out what steps you need to take. Click here to view our on-demand webinar 10 Steps to Prevent the Insider Threat from Wreaking Havoc on Your Applications.