You may have heard of Charlie Javice and her now-defunct company Frank, as they have been in the news a lot lately. But in case you haven’t heard of Charlie Javice, she, through her company Frank, it is alleged, conspired to fleece J.P. Morgan Chase (JPMC) out of millions of dollars by perpetrating a fraud whereby they fabricated a user list of millions of people, including email addresses, and then used that to entice JPMC to acquire them. Here’s how they did it, what happened next, and how they were brought down and are now facing criminal charges.
Frank was a company set up as a service to students looking for financial assistance for their education. They claimed to have the contact information of 4.25million users who had registered at the Frank website. J.P. Morgan Chase was purchasing Frank in order to acquire the contact information for those 4.25 million individuals that Frank claimed to have. Only Frank didn’t have the contact information of 4.25million users. Frank didn’t even have 425,000 users. They had about 300,000.
Now, the criminal complaint against Charlie Javice, brought by the Securities and Exchange Commission (SEC), is pretty compelling. It starts out by saying that “In the summer of 2021, Javice sold the company she founded, Frank, for $175 million to JPMorgan Chase Bank, N.A. (“JPMC”). Through the deal, JPMC was eager to acquire the identity information of the 4.25 million customers — purportedly students looking to finance their educations — that Javice repeatedly claimed Frank had collected. JPMC had been seeking to expand its market share for financial services and products to the largely untapped student segment of the population and hoped to use Frank’s customer information to target those prospects.”
“But,” the SEC complaint goes on to say, “as Javice knew, Frank did not have 4.25 million student customers or their identifying information. Javice, Frank’s CEO, understood that Frank’s customer data was the asset that JPMC wanted, and that JPMC would not pursue an acquisition if it knew the truth: that Frank in fact had identifying data for only about 300,000 students. Therefore, to ensure that JPMC went forward with the transaction, Javice embarked on a fraudulent scheme to (1) hide the fact that Frank had identifying data for only about 300,000 students; and (2) fabricate data to falsely support Javice’s claims”
Knowing that once the acquisition was completed J.P. Morgan Chase would be able to see that they actually only had 300,000 user records, Javice tried various ways to bulk their user list up from 300,000 to 4.25 million. For example, says the SEC complaint, Javice and another Frank executive “began an effort to create a list of real names that they could pass off as Frank’s customers.” Wow.
Javice started this effort to hoodwink JPMC by getting the names of students from one data broker, and then the phone numbers and email addresses to go with those names from another data broker. However that didn’t get her to the claimed number of 4.25million.
So ultimately what she did was contact a data science professor whom she knew, and she asked him to “use ‘synthetic data’ to create 4.265 million customer names, addresses, email addresses, birthdays, and other identifying information requested by JPMC.”
She then instructed the data science professor (who is curiously never named in the complaint but only referred to as “Data Science Professor”, which leads us o believe that he struck a deal with the SEC) “in creating a list of fake user data, answering questions from him about how the data should look. For example, Javice confirmed that the Data Science Professor would ‘sample first name and last name independently and then ensure none of the sampled names are real’. For address information, Javice and the Data Science Professor agreed that while real addresses would not be used, street names would match actual street names located in the state for that address.”
Lest anyone think that “the Data Science Professor” was not clear on what they were doing, and that it was wrong, the criminal complaint also says that “The Data Science Professor warned that because the information he was supplying indicated that many of the “students” were living, and attending high school and college in the same town and state, it ‘would look fishy’ if someone ‘were to audit it’.” and that “When the Data Science Professor advised that it would be difficult to create real looking email addresses, Javice suggested that he instead insert a ‘unique ID.’ Unique IDs are commonly used to share sensitive real information by replacing the real data with a unique, and random, alphanumeric string. But Javice was suggesting their use to conceal the obviously fake data, and to create the misimpression that real, but sensitive, data was being protected.”
So the data science professor dutifully generated a list of 4,265,085 alleged user accounts with a first name, last name, phone number, and ’email address’, the email address slot being filled not by an actual email address, but by a “unique ID”, making it look like the reason there were no email addresses was because they had been obfuscated for the sake of privacy considerations.
You should seriously read the complaint, because it is very straight-forward and easy to understand, and reads like the plot of a bad novel.
There’s a lot more, including how once Javice and the data science professor started using unique IDs instead of email addresses they were able to send the bogus list to a validation service who validated that there were indeed 4,265,085 complete entries in the database. Of course, they didn’t know that the unique IDs were not hiding actual email addresses, and so it all looked kosher when Javice presented the fully validated (but of course inflated) database to J.P. Morgan Chase… until…
JPMC sent out a test email marketing campaign to the database. And of course, the results were terrible.
Now here’s the ironic part:
“JPMC conducted an internal investigation regarding the poor results from the email marketing campaign. Because Frank’s historic emails and data had been transferred to JPMC as part of the merger, JPMC discovered Javice’s conversations with the Data Science Professor about creating synthetic data to provide to the Validator and the Data Compiler 1 list that the Frank Executive had purchased.”
That’s right, Javice was brought down by an email.
Oh, the irony.
And this is a good time to remind you that you should always have an email retention policy. You can read more about email retention policies here.