Database admin steals 2.3M consumer records at Fidelity National subsidiary
The data included names, addresses, birth dates, bank account and credit card information
July 3, 2007 12:00 PM ETComputerworld - Call it the case of hiring a fox to guard the hen house. A senior database administrator at a subsidiary of Fidelity National Information Services Inc. who was responsible for defining and enforcing data access rights at the company instead took data belonging to about 2.3 million consumers and sold it to a data broker.
The broker in turn sold a subset of the data to other marketing companies. The stolen data included names, addresses, birth dates, bank account and credit card information, the company said in a statement released today.
For the moment at least, it appears that the companies that bought the information have mainly used the data to send marketing solicitations to affected individuals, Fidelity said in its statement.
Fidelity National Information Services describes itself as a provider of "core financial institution processing, card issuer and transaction processing services, mortgage loan processing and related information products and outsourcing services to financial institutions, retailers, mortgage lenders and real estate professionals." It is separate from the better-known Fidelity Investments.
"We have no reason to believe that the theft resulted in any subsequent fraudulent activity or financial damage to the consumer," Renz Nichols, president of Fidelity subsidiary Certegy Check Services Inc. was quoted as saying in the release.
The database administrator, who has since been terminated, worked for Certegy, which provides a check-authorization service to help merchants decide whether to accept checks as payment for goods and service.
The theft was first noticed when one of Certegy's retail customers in early May reported a correlation between a "small amount" of check transactions and the receipt by the retailers' customers of telephone and mailed marketing solicitations, Fidelity said.
When an internal Certegy investigation prompted by the compliant failed to find any evidence of a computer breach, the company asked the U.S. Secret Service to contact the companies sending the solicitations to trace the data source.
The investigation showed that the source of the data was a company owned by the Certegy database administrator who had also stolen the data. To avoid detection, the administrator appears to have downloaded the data to a storage device rather than transmit it electronically. It wasn't until the middle of last week or so that the full extent of the theft was discovered, a Fidelity spokeswoman said this morning.
Certegy has begun notifying the 2.3 million affected customers about the potential compromise of their data, the spokeswoman said. It has also filed a civil complaint in St. Petersburg, Fla., against the database administrator and the companies that received the stolen data asking them to return it, she said.
In a statement, Fidelity president and CEO Lee Kennedy expressed his "deep sadness and heartfelt apology" over the incident. "We will do everything possible to ensure no consumer is harmed because of this horrible betrayal," he said.
Read more about security in Computerworld's Security Knowledge Center.
Fidelity
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

