author photo
By Bruce Sussman
Wed | Nov 6, 2019 | 6:57 AM PST

He's 40 years old and lives in Las Vegas.

Just like someone at a craps table, things were running hot for a while and the money was piling up.

Now, this financial services vendor turned insider threat is losing it all to the U.S. government.

Non-traditional insider threat starts as legitimate business

Gareth David Long ran a legitimate third-party payment processing company known as V Internet Corp. It offered a niche service most of us may not know about.

The U.S. Department of Justice explains:

Long specialized in the creation and deposit of remotely-created checks ("RCCs"). An RCC is a check created not by the account holder, but by the third-party payee. In place of a signature, Long's RCCs contained a typed statement claiming that the check was authorized by the account holder. Because of this payment processing activity, Long possessed the personal and financial information of hundreds of thousands of consumers....

So he and his company spent years working with customers and merchants and collecting personal data on consumers—data the company needed for legitimate transactions.

And then, Long and his company quit serving clients.

Insider threat: vendor steals data and million$

While Long and V Internet Corp. quit serving clients, it continued to operate as a business.

Suddenly, it was the insider threat customers and banks never saw coming. This allowed the company to steal millions of dollars before getting caught.

Says the Department of Justice:

Long stopped acting as a third-party payment processor for other merchants, and simply started using RCCs to charge the bank accounts of consumers whose personal identifying information he had acquired over the previous five years, as well as other consumers whose information Long purchased in the form of "lead lists." Long did not have authorization to charge any of these victims' accounts.   

From January through July of 2013, Long created and deposited more than 750,000 RCCs totaling more than $22 million. While approximately half of these RCCs were immediately reversed by victims' banks, Long nevertheless succeeded in stealing approximately $11 million over a six-month period.

You can picture it, can't you?

The profits were vast, the chips stacking up. The millions were rolling in. Long purchased a ranch, three airplanes, cars, even a fire truck. He was riding high.

Employees forced into insider threat scheme

If you steal that much money, that quickly, you'd expect someone to notice. 

And the people Long admits to stealing from sure did. He put his employees in the middle of the scheme.

"When account holders called to complain about the charges, Long instructed his employees to tell callers that they had authorized the charges in connection with an online payday loan application."

His years of running a legitimate business helped. His multi-year relationship with banks, as an insider in the payment processing industry, helped. These things worked together in convincing financial institutions that many of the debits were legitimate.

The DOJ says he attempted debits totaling $22 million, and about half of that amount actually went through without being reversed by a financial institution.

Insider threat: his luck runs out

And just like any of the table games in Vegas, your luck will eventually run out.

This week, Long admitted that he created and deposited checks drawn on the checking accounts of more than 375,000 victims without authorization. And he pleaded guilty to federal charges, with sentencing set for January 2020.

Now, the U.S. Postal Inspection Service, which played a key part in investigating this case, is seizing millions in cash, his 23-acre ranch, his airplanes, and even that firetruck.

You could say his luck ran out and the chips are down.

Gareth David Long is a non-traditional insider threat. He serves as a reminder that sometimes it's not your own employee going rogue, it's a vendor you trusted.

[RELATED: Insider Threat: Letter from Kansas]