Fidelity National Information Services has admitted this
week that Certegy Check Services, a Fidelity subsidiary that
provides check processing services, was "victimised" by a database
administrator who stole and sold bank and credit card data on up to
2.3 million customers.
Fidelity said in a statement that the
administrator misappropriated and sold consumer information to a
data broker who in turn sold a subset of that data to a limited
number of direct marketing organisations. The incident does not
involve any outside intrusion into or security compromise of
Certegy's IT systems, the company added.
"As a result of this apparent theft, the consumers affected
received marketing solicitations from the companies that bought the
data," said Renz Nichols, President of Certegy Check Services, in a
statement. "We have no reason to believe that the theft resulted in
any subsequent fraudulent activity or financial damage to the
consumer, and we are taking the necessary steps to see that any
further use of the data stops."
Certegy maintains bank account information in connection with
its check authorisation business that helps merchants decide
whether to accept checks as payment for goods and services. The
company also keeps check and credit card information for gaming
operations designed to help casinos provide customers with access
to funds.
Certegy said the theft was discovered when one of its retail
check processing customers "alerted Certegy to a correlation
between a small number of check transactions and the receipt by the
retailer's customers of direct telephone solicitations and mailed
marketing materials. Certegy launched an immediate investigation
and was unable to detect any breach of its security systems and,
thereafter, engaged a forensic investigator to validate its
findings."
The US Secret Service was brought in to help investigate and the
suspicious activity was traced to a senior-level database
administrator responsible for defining and enforcing data access
rights. To avoid detection, the administrator physically removed
the information from Certegy's facility instead of risking
detection through electronic transmissions. The employee has since
been fired.
Compromised information included names, addresses, and telephone
numbers as well as dates of birth and bank account or credit card
information. Certegy said 2.3 million records are believed to have
been affected, with approximately 2.2 million containing bank
account information and 99,000 containing credit card information.
The company is still investigating the time period over which the
misappropriations occurred.
"While Certegy's investigation continues, it has seen no
evidence that bank account or credit card information was used for
anything other than marketing purposes, and is unaware of any
instance of identity theft or fraudulent financial activity," the
company said. "Certegy is doing everything possible to ensure that
any inconvenience experienced by consumers is minimised."
The company has filed a civil complaint in St. Petersburg
against the former employee and the marketing companies believed to
have received the stolen data. Certegy wants to retrieve all
consumer information and get an injunction against any use of that
data. The company is also in the process of "making any required
notifications to governing state regulatory agencies."
This is the latest in a long string of corporate data breaches
since the
ChoicePoint breach made headlines in early 2005. According to
the Privacy Rights Clearinghouse, the records of
more than 158 million U.S. residents have been exposed due to
security breaches since January 2005.
One of the most
notorious breaches occurred at TJX Companies, where at least
45.7 million credit and debit card holders were exposed to identity
fraud.