SunTrust Bank disclosed Friday that a former employee may have shared information on 1.5 million customers with a criminal third-party.
The bank learned of the potential breach in February and immediately began an investigation with the help of "outside experts", a spokeswoman confirmed to CBS MoneyWatch. She declined to provide details on the former employee or the status of the investigation.
At first, SunTrust thought the information was "contained," the spokeswoman said. The company decided to notify customers when it determined that information including names, addresses, and certain account balances were printed "for use outside of SunTrust."
According to SunTrust, personally identifiable information such as Social Security numbers, account numbers, driver's license numbers and ATM pins were not exposed.
Law enforcement officials have been notified.
SunTrust CEO Bill Rogers apologized to the customers who were affected by the incident and is providing them with free credit monitoring.
"We have heightened our monitoring of accounts and increased other security measures," Rogers said. "While we have not identified (any) significant fraudulent activity, we will reinforce our promise to clients that they will not be held responsible for any loss on their accounts as a result."
Laws in all 50 states require the notification of consumers when personal information that could make a consumer vulnerable to identity theft.
A recent report from security firm Armor Defense argued that thieves are doing a brisk business selling stolen bank account information.