Credit firm insists insider selling customer data is no security concern

A database administrator at Fidelity National Information Services was fired for stealing and selling up to 2.3 million customer bank and credit card records.

Fidelity National Information Services has admitted this week that Certegy Check Services, a Fidelity subsidiary that provides check processing services, was "victimised" by a database administrator who stole and sold bank and credit card data on up to 2.3 million customers.

Fidelity said in a statement that the administrator misappropriated and sold consumer information to a data broker who in turn sold a subset of that data to a limited number of direct marketing organisations. The incident does not involve any outside intrusion into or security compromise of Certegy's IT systems, the company added.

"As a result of this apparent theft, the consumers affected received marketing solicitations from the companies that bought the data," said Renz Nichols, President of Certegy Check Services, in a statement. "We have no reason to believe that the theft resulted in any subsequent fraudulent activity or financial damage to the consumer, and we are taking the necessary steps to see that any further use of the data stops."

Certegy maintains bank account information in connection with its check authorisation business that helps merchants decide whether to accept checks as payment for goods and services. The company also keeps check and credit card information for gaming operations designed to help casinos provide customers with access to funds.

Certegy said the theft was discovered when one of its retail check processing customers "alerted Certegy to a correlation between a small number of check transactions and the receipt by the retailer's customers of direct telephone solicitations and mailed marketing materials. Certegy launched an immediate investigation and was unable to detect any breach of its security systems and, thereafter, engaged a forensic investigator to validate its findings."

The US Secret Service was brought in to help investigate and the suspicious activity was traced to a senior-level database administrator responsible for defining and enforcing data access rights. To avoid detection, the administrator physically removed the information from Certegy's facility instead of risking detection through electronic transmissions. The employee has since been fired.

Compromised information included names, addresses, and telephone numbers as well as dates of birth and bank account or credit card information. Certegy said 2.3 million records are believed to have been affected, with approximately 2.2 million containing bank account information and 99,000 containing credit card information. The company is still investigating the time period over which the misappropriations occurred.

"While Certegy's investigation continues, it has seen no evidence that bank account or credit card information was used for anything other than marketing purposes, and is unaware of any instance of identity theft or fraudulent financial activity," the company said. "Certegy is doing everything possible to ensure that any inconvenience experienced by consumers is minimised."

The company has filed a civil complaint in St. Petersburg against the former employee and the marketing companies believed to have received the stolen data. Certegy wants to retrieve all consumer information and get an injunction against any use of that data. The company is also in the process of "making any required notifications to governing state regulatory agencies."

This is the latest in a long string of corporate data breaches since the ChoicePoint breach made headlines in early 2005. According to the Privacy Rights Clearinghouse, the records of more than 158 million U.S. residents have been exposed due to security breaches since January 2005.

One of the most notorious breaches occurred at TJX Companies, where at least 45.7 million credit and debit card holders were exposed to identity fraud.

Read more on IT risk management